DOD revamps controversial CMMC program

After a nine-month review, the Defense Department is replacing its original cyber compliance program for the industrial base with CMMC 2.0, putting more emphasis on self-assessment.

Pentagon (DoD photo by Master Sgt. Ken Hammond, U.S. Air Force)

Optional caption goes here. Optional caption goes here. Optional caption goes here. Optional caption goes here.

The Department of Defense is revamping its cybersecurity compliance program for government contractors, after a nine-month internal review and complaints from vendors large and small over the cost and complexity of the requirements.

Cybersecurity Maturity Model Certification 2.0, announced Nov. 4, promises a new strategic direction for protecting federal contract information and controlled unclassified information that allows for more self-assessment, eliminates several tiers of compliance and reduces the role of third party assessment.

"CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base," Jesse Salazar, deputy assistant secretary of defense for industrial policy, said in a statement. "By establishing a more collaborative relationship with industry, these updates will support business in adoption the practices they need to thwart cyber threats while minimizing barriers to compliance with DOD requirements."

DOD will establish and implement new CMMC policies through the rulemaking process, including a period for public comment, according to a notice that was posted and then removed from the Federal Register on Nov. 4. That document states that CMMC pilots will be suspended until the CMMC 2.0 rule changes take effect, and that going forward CMMC requirements will not be included in DOD solicitations.

The move "raises the bar on security but reduces the compliance," said John Weiler, CEO of the IT-Acquisition Advisory Council and a frequent critic of the CMMC program.

The revamp of the CMMC program also appears to dovetail with a recent move by the Justice Department to launch the Civil Cyber-Fraud Initiative to target contractors that "put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches."

Weiler noted that companies that fraudulently self-assess could face false claims lawsuits from the DOJ's Civil Division.

Under CMMC 2.0, third party assessment will be focused "on companies supporting the highest priority programs," according to a one-page explainer released by DOD to announce the new direction of the program.

According to a DOD website launched to explain CMMC 2.0, contractors will be "contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions... requiring Level 2 ('Advanced') cybersecurity standards that involve information critical to national security. The CMMC Accreditation Body (CMMC-AB) will maintain its role in accrediting assessment organizations. DOD intends for government personnel to conduct assessments of contractors of higher level cybersecurity requirements. The website also notes that the DOD is charged with approving "all CMMC-AB conflict of interest related policies that apply to the CMMC ecosystem."

CMMC-AB CEO Matthew Travis welcomed the changes but noted the potential for some disruption.

"There will be some short-term challenges to confront such as curricula adjustments our training providers will now need to make, and the time requirement for yet another round of federal rulemaking," Travis said. "But now that there is a definitive way forward, I hope all parties move with alacrity." He added that he anticipated "the market demand for CMMC Certification to be significant."

The changes will be discussed by a CMMC-AB town hall meeting scheduled for Nov. 9.

This article was updated Nov. 4 with additional information.