How we’re making sense of CMMC 2.0
On November 5, 2021, the Office of the Secretary for the Department of Defense produced a document outlining updates for the Cybersecurity Maturity Model Certification (CMMC) program. We’ve been following the program since its inception, and we were eager to find out what's coming next.
In short, some of the changes help reduce the burden of the program, while others seem to introduce potential problems. Overall, this update contains several major updates for organizations that are working to achieve CMMC compliance.
Here are several of what we consider to be the most noteworthy changes.
Change #1: Levels 2 and 4 Are Being Eliminated
We believe this change makes sense, as organizations were never expected to certify to level 2—it was just a transitional stage between levels 1 and 3.
Levels 4 and 5 were not yet well defined and we expected most organizations to be held to level 3 unless there were special circumstances. It seems that as the Department of Defense worked to define these levels, a determination was made that there wasn’t a need for two additional levels. As a result, level 4 was absorbed.
Change #2: Organizations Can Self-Assess to Level 1
This is a change that we believe helps streamline the program for smaller organizations. Level 1 is for organizations that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). Because FCI is less sensitive than CUI, and level 1 has far fewer controls compared to the old level 3, organizations will now be able to self-assess and achieve level 1 compliance. The risk of having organizations that only handle FCI self-assess is likely minimal.
Change #3: Level 3 Assessment Types Will be Dictated by Contract
This change makes a bit less sense. Some organizations that are required to be level 3 compliant will be able to self-assess, while others will require a third-party assessment, depending on what the Department of Defense puts in their contract, based on the sensitivity of the data.
The reason CMMC exists is because organizations were supposed to be self-assessing their compliance with NIST SP 800-171. However, over time, it became obvious that this was not an effective approach. It can be difficult to understand the intent behind controls in standards like NIST SP 800-171 and CMMC, as the control requirements are often vague or use terms that are not otherwise widely used in the Information Security field. An example from CMMC is requirement SC.3.188, which simply states, "Control and monitor the use of mobile code." This refers to software that runs in a web browser, such as Flash, JavaScript, Java, and ActiveX, rather than having anything to do with a smartphone, which is how most people initially interpret this requirement. Large organizations likely have people with the right background to research and interpret the true intent of these standards, but smaller organizations often struggle. A smaller organization may think they’re compliant when they're not, which may be due to a misunderstanding of the intent of the controls.
Change #4: Self-Assessments Will be Annual and Must be Signed Off by Company Leadership
Previously, the expectation was for a three-year assessment cycle. We believe it makes sense to keep a closer watch on organizations that are self-assessing, due to the increased potential for misunderstandings, as described in the change above. We hope that the sign-off requirement will be used for accountability in the event that an organization falsely attests to compliance. The expectation is that accountability will drive real compliance rather than simply trying to check the box for compliance.
Change #5: Additional Controls Based on NIST SP 800-171 Are Being Eliminated
On one hand, this is unfortunate because many of these controls covered important topics that NIST SP 800-171 doesn’t address. On the other hand, this simplifies CMMC because the intent of the NIST SP 800-171 controls are generally better documented than the additional CMMC-specific controls. An argument could be made that the additional CMMC controls should be added to NIST SP 800-171 to be part of the broader standard, rather than existing as one-off CMMC requirements. Maybe that’s the plan for the next iteration of NIST SP 800-171.
Change #6: The Process Maturity Controls for Level 3 Are Being Eliminated
CMMC previously required process maturity controls, such as policies, procedures, and management plans, for level 3 compliance, in addition to implementing the technical controls in the practice section of the standard. Technically, these could be considered additional CMMC-specific controls, as described above, but warrant their own discussion because they are very different from regular technical "practice" controls.
The elimination of process maturity controls will make the standard much easier from a compliance perspective, but as a security professional, I see this as a major loss. Spinning up security products to meet requirements is easy, but having a mature processes in place to make those security products effective at detecting and defending from attacks is difficult. There is a real risk that there will be a set of security products quickly rolled out to meet CMMC requirements and check the box, but those products won’t be effectively configured, tuned, and monitored.
Change #7: Plans of Actions and Milestones (POA&Ms) Will be Allowed for Compliance Purposes
Before this update, organizations were told they must be 100% compliant with CMMC to accept contracts. Plans to become compliant were not allowed. This change means an organization can be treated as compliant even if they are not actually compliant, as long as the organization has a plan in place to become compliant. This is how NIST SP 800-171 compliance was configured and problems with this approach, such as organizations with large compliance gaps handling CUI because they had a plan in place, was another likely driver behind the creation of CMMC. How much trouble this causes will depend on how strictly organizations are held to their plans, including whether or not the Department of Defense will be willing to cancel contracts for organizations that miss their targets.
Change #8: Waivers for Certain Requirements May be Granted
Organizations will be able to request waivers exempting them from compliance with specific CMMC requirements. The impact of this change depends on how these waivers are handled. There are certainly circumstances where a control may not be appropriate, which is why most standards use the concept of a baseline that can be tailored, but this may become dangerous if the waivers are granted too easily.
How do These Changes Affect My Business?
While this is being called, “CMMC 2.0,” the changes are technically not being enforced yet. At this stage, it is just a proposal that has been published in the Federal Register for public comment. The update will have to work its way through the standard government rulemaking process before publication for compliance. Some additional changes may be introduced during this process. Perhaps the most important change is the delay of CMMC obligations—contracts won’t contain CMMC requirements until the rulemaking process is completed, which could take up to 24 months.