In May of last year, I wrote about the forthcoming Cybersecurity Maturity Model Certification, or CMMC, regulations for DoD contractors and how it could become the new universal security standard (see https://www.spotlink.com/blog/cmmc). At that time, CMMC was scheduled to start rolling out by the end of the year, and fully implemented by 2026.
Most of us are accustomed to seeing the United States Military execute successfully, time and again. But that was not the case with CMMC, which was riddled with infighting, changes in management, and even scandal. As a result, the DoD pulled the CMMC plans and replaced them with CMMC 2.0.
CMMC 2.0 is significantly different than the 1.0 version. The previous version had 5 levels of compliance that mapped to organizational cyber security maturity. That has been replaced with 3 levels that align with the cybersecurity practices – the entire maturity concept has been dropped (although they are still calling CMMC).
Level 1 is deemed the “Foundational” level. This will apply to DoD contractors that “do not handle information deemed critical to national security”. Or put another way, those that have Federal Contract information only. For companies in this level, the requirements scale back immensely in 2 big ways. First, rather than being required to comply with the 110 controls of NIST 800-171, you only need to comply with a subset of 17 basic controls. Second, you can self-attest to compliance rather than have that validated by an outside third-party firm (called a C3PAO).
Level 2, “Advanced”, is like the Level 3 in CMMC 1.0. This applies to companies that hold Controlled Unclassified Information (CUI). These companies must comply with NIST 800-171 and must use a C3PAO to validate their compliance every 3 years and self-attest annually. (A subset of companies will be able to entirely self-attest, but this is expected to be a relatively small portion).
Level 3, “Expert”, is the same as Level 5 in CMMC 1.0. The rules on these companies are still in development, but the expectation is that they will need to be fully compliant with NIST 800-171/172, as well as some additional controls. Additionally, it is expected that their compliance will be verified by a government agency.
The DoD has stated they will be working with NIST so that future revisions of NIST 800-171/172 will incorporate additional controls, so that these standards will be a unifying standard for all DoD and other businesses that choose, or are required (e.g., by their cyber insurance policy), to meet.
CMMC 2.0 won’t go into effect until 60 days after the interim rules are released, which is expected to happen by May of 2023. Even then, it will only be required on some contracts, and the DOD plans to allow companies to submit a time-limited Plan of Action and Milestones (POAMs) to temporarily substitute for full compliance.
What to do until then? Unfortunately, if you are a Level 1 company under CMMC 2.0, the interim is going to be much more challenging until CMMC 2.0 is live. Until the new rules go into effect, most DoD contractors will continue to be subject to DFARS-252.204-7012, -7019 and -7020. In simple terms this means you are still responsible for either fully complying with NIST 800-171 or submitting an action plan on when you will commit to being fully compliant.
This is still an evolving story. But as it looks now, CMMC will still be a game changer, but not quite as drastic, quick, or encompassing as we thought a year ago. Stay tuned. SpotLink will continue to provide small updates on our Twitter account, and major updates via our newsletter.
Of course, if you are one of those that need to implement DoD compliance, whether now or in the future, SpotLink, stands ready to help.
Robert Hood
CEO & Founder
SpotLink