The Pentagon has formally announced two new rulemakings that will make changes to its Cybersecurity Maturity Model Certification program, including the removal of third party assessments for level one and starting a plan of action and milestones process.
“This document provides updated information on DoD’s way forward for the approved Cybersecurity Maturity Model Certification (CMMC) program changes, designated as ‘CMMC 2.0.’ CMMC 2.0 builds upon the initial CMMC framework to dynamically enhance Defense Industrial Base (DIB) cybersecurity against evolving threats,” the Defense Department said in an advanced notice of proposed rulemaking to be published in the Federal Register on Wednesday.
The ANPRM says, “The CMMC framework is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors and provide assurance that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will be protected at a level commensurate with the risk from cybersecurity threats, including Advanced Persistent Threats.”
The Pentagon announced changes to the CMMC program on Nov. 4 and posted an ANPRM on the same day that was removed from the Federal Register prior to publication. The new notice is similar to the Nov. 4 ANPRM while making revisions to clarify certain aspects of CMMC 2.0.
The ANPRM specifically explains that there are now three levels of certification, rather than saying levels two and four have been eliminated.
The notice says:
- Level 1 (Foundational) will remain the same as CMMC 1.0 Level 1;
- Level 2 (Advanced) will be similar to CMMC 1.0 Level 3;
- Level 3 (Expert) will be similar to CMMC 1.0 Level 5.
DOD also makes clear that it’s “Removing CMMC-unique practices and all maturity processes from all levels” and will require “Government-led assessments” for level three.
Other modifications under CMMC 2.0 include:
- For CMMC Level 1 (Foundational), allowing annual self-assessments with an annual affirmation by DIB company leadership;
- Bifurcating CMMC Level 2 (Advanced) assessment requirements:
- Prioritized acquisitions involving CUI will require an independent third party assessment;
- Non-prioritized acquisitions involving CUI will require an annual self-assessment and annual company affirmation;
- Developing a time-bound and enforceable Plan of Action and Milestone process; and,
- Developing a selective, time-bound waiver process, if needed and approved.
The notice says, “The changes reflected in the CMMC 2.0 framework will be implemented through the rulemaking process. DoD will pursue rulemaking in both: 1) Title 32 of the Code of Federal Regulations (CFR); and, 2) title 48 CFR, to establish CMMC 2.0 program requirements and implement any needed changes to the CMMC program content in 48 CFR. Both rules will have public comment periods.”
DOD said, “The title 32 CFR rulemaking for CMMC 2.0 will be followed by additional title 48 CFR rulemaking, as needed, to implement any needed changes to the CMMC program content in 48 CFR. DoD will work through the rulemaking processes as expeditiously as possible.”
At a “Town Hall” meeting last week, CMMC Program Management Office leader Buddy Dees said the Pentagon is not instituting mandatory CMMC requirements while the 2.0 efforts go through the rulemaking process, which could take anywhere from nine to 24 months. -- Sara Friedman (sfriedman@iwpnews.com)