The Defense Department (DoD) on Dec. 26 published its latest proposed overhaul of the agency’s Cybersecurity Maturity Model Certification (CMMC) 2.0 program that would set three levels of cybersecurity compliance for defense industrial base (DIB) contractors, and allow for contractors to perform security self-assessments at some of the lower requirement levels.
The Pentagon is seeking public comment on the proposed rule through Feb. 26.
An analysis of the proposed rule published by Preveil – a provider of CMMC compliance services – estimates that DoD could publish a final version of the rule in late 2024 or early 2025. “Once CMMC is incorporated into DFARS [Defense Federal Acquisition Regulation Supplement] contractors may be required to achieve CMMC certification prior to contract award. CMMC will be fully phased in over a 3-year period,” the firm said.
The latest rule, DoD said, is “designed to ensure that defense contractors and subcontractors are compliant with existing information protection requirements for federal contract information (FCI) and controlled unclassified information (CUI) and are protecting that sensitive unclassified information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats.”
The new proposed CMMC rule reduces the number of cybersecurity assessment levels required of DIB contractors and subcontractors to three – from the previous level of five.
Under the proposed new rule:
- CMMC Level 1 incorporates “basic safeguarding” of FCI;
- CMMC Level 2 incorporates “general protection” of CUI; and
- CMMC Level 3 incorporates a “higher level of protection against risk from advanced persistent threats.”
DoD first published interim CMMC rules in 2020, and in 2021 introduced the 2.0 version of the program. In July 2023, the agency submitted its new proposed rule – just unveiled in full detail last week – to the Office of Management and Budget (OMB) for review. Specific details of the new proposed rule were scarce until the Dec. 26 release by DoD.
The previous 1.0 version of CMMC faced criticism from the defense contractor community in part because of the costs that contractors would face to comply with the rules, and DoD said last week that the proposed new rule should help to address those concerns.
“DoD estimates overall program costs will be reduced by allowing for self-assessments for Level 1 and some Level 2 assessments and minimizing cost to industry for Level 3 assessments by having Government assessors from Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conduct these assessments,” DoD said.
The agency also said that “CMMC aligns directly with the cybersecurity requirements described in National Institute of Standards and Technology (NIST) Special Publications 800-171 and 800-172.”
“With its streamlined requirements, the CMMC program” now provides for “simplified compliance by allowing self-assessment for some requirements,” priorities for protecting DoD information, and “reinforced cooperation between the DoD and industry in addressing evolving cyber threats,” the Pentagon said.
The DoD Chief Information Officer (CIO) explained that under CMMC 1.0, DIB contractors were faced with security assessments over five increasingly progressive levels from Basic to Advanced, with levels 2 and 4 seen as transition steps between levels 1, 3, and 5. Under CMMC 2.0, the CIO said, Level 1 matches with requirements for Level 1 under the previous standards, level 2 matches with the previous Level 3 standard, and Level 3 matches with the previous Level 5 standard.
Along with the proposed new CMMC 2.0 rule released on Dec. 26, DoD posted the CMMC 2.0 model for Levels 1 and 2, their associated assessment guides, and scoping guidance. “Level 3 information will likewise be posted as it becomes available,” the CIO said.
“As a result of the alignment of CMMC to NIST standards, the Department’s requirements will continue to evolve as changes are made to the underlying NIST SP 800-171 and NIST SP 800-172 requirements,” the CIO said.
In addition to seeking comment on the new proposed CMMC rule, DoD is also soliciting comment on eight associated guidance documents and several new information collections.
DoD also said it plans to seek public comment later this year on a follow-on DFARS rule for CMMC.