• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Department of Defense Suspends the CMMC Pilot Program And CMMC Requirements In DoD Solicitations Pending Major Changes For CMMC 2.0.

November 5, 2021 By Amy Mushahwar and Jon Knight

ribbons of dataThe Department of Defense (“DoD”) recently announced it will be revamping the nascent Cybersecurity Maturity Model Certification (“CMMC”) program pending two separate rulemaking processes.  As detailed below, the DoD will be updating “the program structure and the requirements to streamline and improve implementation of the CMMC program.”  We will be monitoring the rulemaking process for more details as they are known.  However, the primary short-term takeaway is that until the rulemaking process is complete, the DoD is suspending the CMMC Pilot Program and will not include CMMC requirements in any DoD solicitations.  However, the DoD is evaluating how it could “provide incentives” who voluntarily obtain a CMMC certification in the interim.

CMMC 1.0 Included Five Certification Levels And All Levels Required A Third Party Assessment For Certification.

CMMC 1.0 was designed to have five certification levels: (1) basic cyber-hygiene; (2) intermediate cyber-hygiene; (3) good cyber-hygiene; (4) proactive; and (5) advanced/progressive. These levels, achieved based on scoring for up to 173 different controls, were derived from multiple other cybersecurity standards but unified into a whole framework.  Additionally, in order to be certified at a particular level under CMMC 1.0, a contractor was required to be assessed by a CMMC Third-Party Assessment Organization (C3PAO).  But accrediting and approving these C3PAOs proved to be a significant bottleneck for CMMC 1.0.

CMMC 2.0 Will Only Include 3 Certification Levels

According to the DoD’s announcement, CMMC 2.0 will eliminate certification Levels 2 and 4.  It appears that the requirements for Level 1 will remain the same, while the requirements for the new Level 2 (formerly Level 3) will be split depending on the needs of specific procurements.  The new Level 3 (formerly Level 5) requirements are still under development.  The DoD also announced it is “removing CMMC-unique practices and all maturity processes from the CMMC Model.”

CMMC 2.0 Will Allow For Self-Certification To Some Requirements. 

Instead of requiring that all certifications be conducted by a C3PAO, CMMC 2.0 will now allow for self-certification in some circumstances.  For Level 1, contractors will now be able to conduct annual self-assessments with an annual affirmation by company leadership.  For Level 2, the DoD will now identify “prioritized acquisitions” and related CMMC requirements that would require independent assessment and certification and “non-prioritized acquisitions” that that would require an annual self-assessment and company affirmation. While these self-attestations and company affirmations may increase the risk of potential False Claims Act liability, it will remove the costs and administrative burden on contractors of conducting and maintaining certifications.  It does, however, increase the importance of a careful, thorough self-assessment process conducted under privilege to reduce any False Claims Act risk.

CMMC 2.0 May Also Include A Waiver Process.

Flexibility in implementation is another stated goal for CMMC 2.0.  As such, the DoD plans to create a waiver process where specific CMMC requirements could be waived by the procuring entity under certain circumstances.  Details on this waiver process are not yet known.

 

Filed Under: Cybersecurity, Regulation Tagged With: CMMC, Cybersecurity certifications, Department of Defense, government contractors

About Amy Mushahwar

Amy Mushahwar is a partner with Alston & Bird’s Privacy, Cyber & Data Strategy Team. Amy has over 20 years of experience in the technology space and focuses her practice on data security, cyber risk, privacy, and emerging technologies. She advises clients on proactive data security practices, data breach incident response, and regulatory compliance.

[Read Bio]

About Jon Knight

Jon Knight is a senior associate with Alston & Bird’s Privacy, Cyber & Data Strategy Team in the Washington, D.C. office. He focuses his practice on cybersecurity and privacy compliance and enforcement, as well as emerging technology issues.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.