Pentagon releases CMMC 2.0 program to secure defense industrial base from cyberattacks

The U.S. Department of Defense (DoD) announced on Thursday its ‘CMMC 2.0’ program that will simplify the CMMC standard and provide additional clarity on cybersecurity regulatory, policy, and contract requirements. It will also focus on advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs and increase DoD’s professional and ethical standards oversight on the assessment ecosystem.

The improvements will ensure accountability for companies to implement cybersecurity standards while minimizing barriers to compliance with DoD requirements, instill a collaborative culture of cybersecurity and cyber resilience, and enhance public trust in the CMMC ecosystem while increasing overall ease of execution.

The release of CMMC 2.0 marks the completion of an internal program assessment led by senior leaders across the Department. The CMMC program includes cyber protection standards for companies in the defense industrial base (DIB). By incorporating cybersecurity standards into acquisition programs, CMMC provides the Department with the assurance that contractors and subcontractors meet DoD’s cybersecurity requirements.

“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Jesse Salazar, deputy assistant secretary of defense for industrial policy, said in a media statement. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”

Compliance expert Jacob Horne pointed out in a LinkedIn post that the CMMC 2.0 eliminates levels 2 and 4 and removes CMMC-unique practices and all maturity processes from the CMMC Model. It also allows annual self-assessments with an annual affirmation by DIB company leadership for CMMC Level 1 and bifurcates CMMC Level 3 requirements to identify prioritized acquisitions that would require independent assessment and non-prioritized acquisitions that would require annual self-assessment and annual company affirmation.

He also pointed out that the CMMC Level 5 requirements are still under development.

With CMMC 2.0 published, the interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The Department does not intend to approve the inclusion of a CMMC requirement in any contract before the completion of the CMMC 2.0 rulemaking process.

Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to requirements outlined in the regulation.

The Department will publish a comprehensive cost analysis associated with each level of CMMC 2.0 as part of the rulemaking, OUSD(A&S) said. Costs are projected to be significantly lower relative to CMMC 1.0 because the Department intends to streamline requirements at all levels, eliminating CMMC-unique practices and maturity processes. It will also allow companies associated with the new Level 1 (Foundational) and some Level 2 (Advanced) acquisition programs to perform self-assessments rather than third-party assessments and increase oversight of the third-party assessment ecosystem.

The publication of materials relating to CMMC 2.0 reflects the Department’s strategic intent concerning the CMMC program. But, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program, according to details released by the OUSD(A&S). The rulemaking process and timelines can take between nine months to two years. CMMC 2.0 will become a contract requirement once rulemaking is completed. While these rulemaking efforts are ongoing, the Department intends to suspend the current CMMC Piloting efforts and will not approve the inclusion of a CMMC requirement in any DoD solicitation.

The Department encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway. The Department has developed Project Spectrum to help DIB companies assess their cyber readiness and adopt sound cybersecurity practices. The ​​Project Spectrum platform provides companies, institutions, and organizations with cybersecurity information, resources, tools, and training.

The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period. Additional information will be provided as it becomes available. The changes were necessitated by the feedback that the Department received from industry, Congress, and other stakeholders in the over 850 public comments received in response to the interim rule establishing CMMC 1.0, the OUSD(A&S) said.

These comments focused on the need to enhance CMMC by reducing costs, particularly for small businesses, increasing trust in the CMMC assessment ecosystem, and clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards, according to the OUSD(A&S). The CMMC 2.0 was designed to meet these goals, which also contribute toward enhancing the cybersecurity of the defense industrial base.

In August, a bipartisan Defense Critical Supply Chain Task Force released their final report, findings, and recommendations, following a months-long review of supply chain threats and vulnerabilities. Established by the House Armed Services Committee, the Task Force focused its efforts on improving the defense supply chain specifically, so that the Committee can take legislative action to address risks and build resiliency.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.