The Department of Defense (“DoD”) recently announced it will be revamping the nascent Cybersecurity Maturity Model Certification (“CMMC”) program pending two separate rulemaking processes. As detailed below, the DoD will be updating “the program structure and the requirements to streamline and improve implementation of the CMMC program.” We will be monitoring the rulemaking process for more details as they are known. However, the primary short-term takeaway is that until the rulemaking process is complete, the DoD is suspending the CMMC Pilot Program and will not include CMMC requirements in any DoD solicitations. However, the DoD is evaluating how it could “provide incentives” who voluntarily obtain a CMMC certification in the interim.
CMMC 1.0 Included Five Certification Levels And All Levels Required A Third Party Assessment For Certification.
CMMC 1.0 was designed to have five certification levels: (1) basic cyber-hygiene; (2) intermediate cyber-hygiene; (3) good cyber-hygiene; (4) proactive; and (5) advanced/progressive. These levels, achieved based on scoring for up to 173 different controls, were derived from multiple other cybersecurity standards but unified into a whole framework. Additionally, in order to be certified at a particular level under CMMC 1.0, a contractor was required to be assessed by a CMMC Third-Party Assessment Organization (C3PAO). But accrediting and approving these C3PAOs proved to be a significant bottleneck for CMMC 1.0.
CMMC 2.0 Will Only Include 3 Certification Levels
According to the DoD’s announcement, CMMC 2.0 will eliminate certification Levels 2 and 4. It appears that the requirements for Level 1 will remain the same, while the requirements for the new Level 2 (formerly Level 3) will be split depending on the needs of specific procurements. The new Level 3 (formerly Level 5) requirements are still under development. The DoD also announced it is “removing CMMC-unique practices and all maturity processes from the CMMC Model.”
CMMC 2.0 Will Allow For Self-Certification To Some Requirements.
Instead of requiring that all certifications be conducted by a C3PAO, CMMC 2.0 will now allow for self-certification in some circumstances. For Level 1, contractors will now be able to conduct annual self-assessments with an annual affirmation by company leadership. For Level 2, the DoD will now identify “prioritized acquisitions” and related CMMC requirements that would require independent assessment and certification and “non-prioritized acquisitions” that that would require an annual self-assessment and company affirmation. While these self-attestations and company affirmations may increase the risk of potential False Claims Act liability, it will remove the costs and administrative burden on contractors of conducting and maintaining certifications. It does, however, increase the importance of a careful, thorough self-assessment process conducted under privilege to reduce any False Claims Act risk.
CMMC 2.0 May Also Include A Waiver Process.
Flexibility in implementation is another stated goal for CMMC 2.0. As such, the DoD plans to create a waiver process where specific CMMC requirements could be waived by the procuring entity under certain circumstances. Details on this waiver process are not yet known.