CMMC 2.0 – More Companies may have to get an External Assessment

February 24, 2022

The Pentagon in 2021 announced a revamping of the Cybersecurity Maturity Model Certification  (CMMC) program. The CMMC is a comprehensive initiative launched to encourage the defense industrial base to better protect all controlled unclassified information (CUI) against unforeseen cyberattacks. The rules under CMMC will affect more than 300,000 contractors in the defense base. “The revamped version, the CMMC 2.0 was launched on the 4th of November after a thorough internal assessment of the initial program to identify potential improvements in its implementation”, Pentagon spokesperson Jessica Maxwell said in a statement to National Defense in April 2021.

“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Salazar – the deputy assistant secretary of defense for industrial policy – said in a press release. “By establishing a more collaborative relationship with the industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers in compliance with DoD requirements.”

Through the CMMC program, the U.S. Department of Defense planned on “bifurcating” the requirements for contractors that handled CUI. This would be done by assigning a security compliance level ranging from Level 1 to Level 3. Primarily 80,000 contractors were identified and only half of those would be obligated to conduct a third-party assessment of their cybersecurity programs. However, more than a week ago, on Feb 10, the Deputy DoD CIO David McKeown said that after a more extensive analysis, all of the 80,000 contractors tied to the defense sector in any way will require a third-party assessment in order to win defense contracts.

Here are some reasons why this change is worthy of your attention:

  1. Despite its implementation, the Government Accountability Office found that a majority of defense contractors are failing to fully execute the CMMC’s cybersecurity standards.
  2. The market for CMMC assessment is only emerging now and incorporating another 40,000 contractors will only burden it more. The DoD is, however, working with the CMMC Accreditation Body to ramp up the “assessment ecosystem”.

Moreover, this has raised questions about the effectiveness of the CUI program and a recent paper published by the Intelligence and National Security Alliance recommended its wholesale reevaluation. There needs to be a clear definition and labeling of sensitive data that requires protection to be able to safeguard it properly.

The press release regarding CMMC 2.0 said that ‘despite the recent changes, the CMMC 2.0  has succeeded in safeguarding sensitive information and encouraging compliance by simplifying the standards, providing additional clarity on regulatory policy and contracting requirements, and improving the overall ease of execution’. The modifications also mean that more than 140,000 defense contractors that handle less sensitive federal contract information will only need to submit a self-assessment. The assessment of the contractors’ cybersecurity practices would be done in compliance with the CMMC Level One requirement. These changes will mean tighter control over data and hopefully, fewer cybersecurity attacks. This will take some time to fall into place and the CMMC will require a few more rounds of federal rulemaking before it can finally work for everyone.

Leave a comment

Your email address will not be published. Required fields are marked *