The Department of Defense’s (DoD) Office of the Under Secretary of Defense for Acquisition and Sustainment recently issued a long-awaited overhaul to its Cybersecurity Maturity Model Certification (CMMC) program by introducing CMMC 2.0, which:
- Lowers the number of CMMC levels from 5 to 3.
- Drops all maturity PROCESS requirements.
- Allows (limited): Self-attestation of compliance and Plan of Action and Milestones (POAMs)
To help make sense of these developments, here’s my perspective on the CMMC changes, along with recommendations for any Defense Industrial Base (DIB) company or law firm on how best to proceed.
Objective: Protect CUI
The most important takeaway from CMMC 2.0 is that DFARS 252.204-7012, NIST SP 800-171, and International Traffic in Arms Regulations (ITAR) remain the law of the land. Therefore, if you handle controlled unclassified information (CUI) or ITAR data, then these controls are still in effect.
The DoD announced plans to strengthen the CMMC program by aligning the Code of Federal Regulations (CFR) language with DFARS. That is, CMMC 2.0 will remove any ambiguities stemming from DFARS Interim Rule 2019-D041 (Clause 7021), which had previously been relied upon to implement CMMC. Codifying CMMC 2.0 through the federal rulemaking process will provide the clarity needed to enforce and measure cyber compliance across all commands and agencies.
Audits Still Here
While we wait for CMMC 2.0 to make its way through the DoD rulemaking process, remember that DFARS remains in force.
Just like the IRS can audit a taxpayer, the DIB Cybersecurity Assessment Center (DIBCAC) could select any contractor for a NIST 800-171 audit, so you want to ensure that your company is implementing adequate data protections and is on a path toward achieving a good NIST 800-171 score in the DoD’s Supplier Performance Risk System (SPRS) System.
Remember that CMMC will return after the rulemaking stage, as will third-party assessments (for MOST contractors). So, a contractor must stay in compliance with the current rules while simultaneously keeping an eye on the future.
Enforcement is Real
The Department of Justice’s (DoJ) new Civil Cyber-Fraud Initiative was created to hold contractors accountable for cybersecurity measures. In addition, they are utilizing the False Claims Act to enforce cybersecurity compliance and to encourage whistleblowers to come forward.
The new task force’s focus is to investigate contractors who withhold breaches or falsify claims of SPRS scores. The Defense Contract Management Agency (DCMA) is already enforcing DFARS compliance via DIBCAC audits and by holding primes responsible for their sub’s cybersecurity programs.
Zero Trust Principles
Recent federal guidance advises the adoption of Zero Trust principles to protect data, as opposed to traditional perimeter-based approaches, by using end-to-end encryption to protect information. The file-sharing and messaging features protect your CUI with unmatched security, and since the service provider NEVER has access to decryption keys and the data is encrypted with FIPS 140-2 end-to-end encryption, ITAR compliance comes built in.
Companies that have migrated to the cloud (or plan to): Commercial-off-the-Shelf cloud services for files and email are NOT DFARS compliant, while higher-priced cloud migrations (ex: Microsoft GCC High) cause significant disruption and are prohibitively expensive.
CMMC 2.0 Reinforces NIST 800-171 Strategy
The DoD’s requirements to protect CUI are still in effect while CMMC 2.0 is developed and noncompliance carries significant risks for DoD contractors, while compliant contractors have a significant competitive advantage when contracts are awarded, new rules emerge, or audits begin.
NOW is the time to implement a DFARS-compliant cybersecurity program. If you wait until CMMC 2.0 becomes law, it will be too late.