The Pentagon plans to finalize its Cybersecurity Maturity Model Certification 2.0 rule by fall 2024 in response to increasing cyberattacks on its supply chain by foreign adversaries.
CMMC 2.0 will help the Department of Defense verify the maturity levels of certain cyber systems and processes with a focus on the protection of sensitive information stored on contractor networks.
The Pentagon enacted CMMC in November 2020 to ensure that contractors’ cyber hygiene was good enough to do business with the government. CMMC 2.0 is expected to be released by the Office of Management and Budget for public comment soon, and contractors that fail to meet its requirements will not be awarded DOD contracts.
Notable changes with CMMC 2.0 include a consolidation of the five maturity levels into three, and the elimination of unique practices and processes in favor of mirroring existing frameworks’ requirements. That includes the Cybersecurity Framework from the National Institute of Standards and Technology (NIST) — special publications 800-171 and 800-172, in particular.
“Alignment with NIST will increase regulatory alignment, allowing contractors to easily match existing security measures with CMMC compliance requirements,” says Marcus Fowler, CEO of Darktrace Federal.
Click the banner below to learn how federal agencies are implementing zero trust architecture.
CMMC 2.0 Will Allow for Flexible Contractor Security Assessments
CMMC 2.0 will also reduce costs for contractors, allowing certain companies to demonstrate compliance through self-assessments rather than third-party assessments, Fowler says.
The rule will allow for flexible implementation of reliable assessments to address its predecessor’s shortcomings and has been designed to achieve the DOD’s goals.
“These include safeguarding sensitive information, enforcing cybersecurity standards, ensuring accountability, fostering a collaborative culture and maintaining public trust," says Adam Marrè, CISO at Arctic Wolf. “Complying with CMMC requires a cohesive security strategy that incorporates diverse solutions like compliance platforms, encrypted assets, data backups and monitoring tools to address vulnerabilities.”
Making the decision to keep a CMMC program in-house should not be taken lightly, Marrè adds.
“Failing the third-party CMMC 2.0 audit on the first attempt may result in needing to correct security shortcomings and facing a potential backlog of audits before receiving a second opportunity,” Marrè says.
CMMC originally made it challenging for small and midsize organizations due to the cost and resource requirements involved in the certification process, which required assessments executed by a third party.“In 2.0 they can self-assess annually for Level 1 and in certain instances for Level 2," says Antonio Sanchez, principal evangelist at Fortra. “This allows them to be more competitive and provides a much larger pool of contractors to deliver products and services.”
Action Plans and Waivers Are on the Table in Special Situations
CMMC 2.0 simplifies the requirements for contractors and aligns with NIST SP 800-171 Revision 2 for Level 2 and NIST SP 800-172 for Level 3, while Level 1 remains unchanged.
“Organizations should identify the CMMC requirement for the products or services they want to deliver,” Sanchez says. “The reason is because they may want to achieve Level 2 but only require Level 1, which is a much faster path to compliance, as it only requires self-assessment.”
The new rule will seek to increase flexibility of implementation, allowing certain companies to simply provide action plans to DOD, and for the department to provide waivers in limited situations.
“This demonstrates DOD’s efforts to foster greater collaboration, allowing companies to do business with DOD if they show a commitment to strengthening their cybersecurity posture moving forward,” Fowler says.
MORE FROM FEDTECH: DOD’s CIO is considering technical debt guidance.