The Department of Defense (DoD) expects around 80,000 Defense Industrial Base (DIB) contractors will need a third-party assessment to reach Level 2 compliance for the Cybersecurity Maturity Model Certificate (CMMC) 2.0 program – double the previously estimated number of companies.
Despite a previous aim to bifurcate the CMMC 2.0 Level 2 requirements and decrease the amount of DIB contractors that need a third-party assessment, DoD Deputy CIO David McKeown said at a Feb. 10 CMMC 2.0 Town Hall that further assessment of the program proved that bifurcation would not be possible.
“At level two, this is where we started having controlled unclassified information,” McKeown said at the DoD-organized event. “We thought maybe we could bifurcate this into the types of QE (qualified entities) that were really important to the department and the ones that were not. But in the end, when we did the analysis, it looks like a universe of about 80,000 companies that are going to fall into this bucket here. Probably all of them will have to get a level two assessment.”
After a lengthy internal review of the CMMC program, CMMC 2.0 sought to simplify the cybersecurity requirements for DIB contractors, collapsing the levels of certification from five to three, and only requiring 17 security controls and self-assessments for the first level of certification.
McKeown said that of the estimated 220,000 companies currently in the DIB, approximately 140,000 will fall into this first category, and only require self-assessments.
The requirements for the Level 2 and Level 3 certifications are now based around the National Institute for Standards and Technology (NIST) special publication (SP) 800-171 cybersecurity practices, with level 2 requiring the implementation of 110 practices included in NIST SP 800-171.
The CMMC 2.0 program recently underwent a realignment, and now falls under oversight of the Office of the CIO (OCIO) rather than the office of the under secretary of Acquisition and Sustainment (A&S). McKeown downplayed the significance of that shift, emphasizing that OCIO was already serving in a supporting role to the A&S team.
“Operationally, the team has been aligned to us for some months,” McKeown said. “We’ve just been waiting for SecDef [Secretary of Defense] to sign the final memo. That just happened recently. The team is now a part of the CIO and really we haven’t missed a beat.”
“I think it makes sense … our job here is to safeguard DoD information and that information could be resident on DoD networks or it could be resident on DIB partner networks,” McKeown said. “A&S was in the supported role, and we were supporting them. And the only change here is now that we’re in the supported role, and then they’re supporting us. But you know, we’re good partners. It’s not a huge change for any of us here, really. And it does allow us to focus more holistically on the protection of DoD data, no matter where it resides.”
Estimated Timeline for Rulemaking
With the realignment now official, McKeown said the program is in the rulemaking process for the program. McKeown said he expects the rulemaking process to be completed within the next two years.
“We expect that the rulemaking will be done and everything in place within the next 24 months so that CMMC 2.0 will be in all the contract vehicles out there,” McKeown said.
While the requirements may not be in place for contracts for a while, he urged contractors to begin work on CMMC compliance now, rather than wait until the rulemaking process is complete, and said the DoD is looking for ways to incentivize such early action.
“We are trying to incentivize people to become early adopters and have their assessments done in spite of the fact that it is not the law of the land yet,” McKeown said. “We’re looking at ways to incentivize that. Perhaps even if you get it done now, the clock won’t start ticking on the expiration of your certification until the rule goes into effect. So, when the rule goes into effect, your three-year clock would start ticking from that point before you’d have to be reassessed.”
He encouraged companies, especially those that are expected to need certification past level one, to get in contact with the CMMC Accreditation Board to see if they believe having a third-party assessor organization assess their company’s cyber posture would be beneficial.