The Pentagon outlined the changes ahead for its Cybersecurity Maturity Model Certification program with two new rulemaking processes.
The Defense Department is significantly scaling back a program it rolled out last year to validate the cybersecurity of its suppliers through third-party audits and is halting its implementation until the changes are official.
The program was supposed to be implemented over a five-year period with the ultimate goal of requiring every defense contractor in possession of certain controlled but unclassified information to obtain a certificate from a third-party assessor indicating their adherence to the Cybersecurity Maturity Model Certification standard. A number of programs within DOD were selected to pilot the program this year. Now, the Pentagon says it is looking to streamline the program—into CMMC 2.0—and make it more collaborative with industry in two new rulemakings through the Code of Federal Regulations.
“Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the department will suspend the CMMC piloting efforts, and will not approve inclusion of a CMMC requirement in DoD solicitations,” reads a notice set to publish Friday in the Federal Register. “The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.”
At the heart of CMMC was an assertion by Pentagon officials that the current system of allowing defense contractors to self-attest, or simply pledge, their adherence to cybersecurity standards outlined by the National Institute of Standards and Technology is not working. The officials pointed to continued theft of intellectual property by Chinese nation-state actors as their chief indicator. CMMC established five levels of cybersecurity for contractors to meet depending on the criticality of the data they would be working with.
According to the notice, CMMC 2.0 would remove levels two and four, reducing the model to three levels. All level one contractors would be allowed to self attest to their cybersecurity. The notice said the second level of contractors—previously level three—would be “bifurcated” into priority and non-priority acquisitions with the former also being able to avoid an independent third-party assessment. Rules for the third and highest level—previously level five—are yet to be determined.
The new model would also remove additional controls added under the initial program and rely only on those in NIST’s Special Publication 800-171, the longstanding basis for the department’s cybersecurity assessments. The modifications would include “removing CMMC-unique practices and all maturity processes from the CMMC Model,” the notice said.
Another major change under CMMC 2.0 would be in the department’s acceptance of a Plan of Action and Milestones—or PoAMs, a sort of to-do list with deadlines—from contractors. Former CMMC leader Katie Arrington, currently on leave while suing the department over alleged mishandling of classified information, had said PoAMs would not be considered and that companies would have to be certified to their required level of the standard at the time of contract award.
There would also be a general waiver process, if approved, according to the notice.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Jesse Salazar, deputy assistant secretary of defense for industrial policy, said in a press release Thursday. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
DOD said the changes stem from an internal review of the program that started in March. The review was led by Salazar, Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang, Executive Director of U.S. Cyber Command David Frederick and Deputy Chief Information Officer for Cybersecurity David McKeown, according to the release.