The Evolution of Government Tech Procurement Under CMMC 2.0
By: Kyle Dimitt, Principal Engineer, Compliance Research at LogRhythm
Supply chain attacks have been on the rise across the globe, as we saw with targeted attacks against SolarWinds and Kaseya. The spike has created a large risk in the Federal government since industry supply chains don’t necessarily have to adhere to a set level of cybersecurity standards, specifically with agencies like the Department of Defense (DoD). To combat this, the DoD has attempted to minimize the risk by increasing the security of the Defense Industrial Base (DIB) with the introduction of the Cybersecurity Maturity Model Certification (CMMC) in 2019.
CMMC requires contractors to obtain third-party certification to ensure appropriate levels of cybersecurity practices are in place to meet basic cyber hygiene standards, as well as protect controlled unclassified information (CUI) that resides on partner systems. While this won’t answer all the government’s cybersecurity woes, it addresses what is becoming a more frequently seen exploit.
Challenges with CMMC 1.0
CMMC 1.0 was a very big change for the DIB. While contractors may have been required to adhere to NIST standards prior to its introduction, there was no requirement for proof of adherence to those standards with CUI. The requirement from CMMC to get audited and prove that your organization was adhering to these requirements became very costly depending on where the CUI was in your environment.
Many DIB contractors were also not confident in what CUI they had in their environments, further adding to the complexity of CMMC requirements. Because they couldn’t fully identify the CUI, they couldn’t fully scope what needed to be protected by the controls and what they would be audited against.
Additionally, there was no allowance for plans of action and milestones (PoAMs). Certifications were a firm pass/fail, which meant organizations could lose out on an opportunity for a contract if they weren’t certified and would have to be audited again once they remediated any deficiencies noted in the audit.
Introducing CMMC 2.0
In November 2021, the DoD announced CMMC 2.0, which came with an updated program structure and requirements. The key changes in CMMC 2.0 address some of the grievances shared above regarding CMMC 1.0, but other challenges remain.
CMMC 2.0 is more flexible, allowing for PoAMs and waivers to CMMC requirements under certain circumstances. This enables contractors who do not meet the security requirements to continue to bid on DoD contracts. The five-tier security system levels have also been revised to three levels, simplifying and streamlining requirements to focus on the most critical.
Third-party assessment requirements have also changed for version 2.0, reducing the number of government contractors that require a third-party assessment. Level 1 no longer requires third-party assessments but requires organizations to perform annual self-assessments. Level 2 requires triennial third-party assessments and annual self-assessments for select programs. Level 3 requires triennial government-led assessments by the Defense Industrial Base Cybersecurity Assessment Center.
The biggest challenge is still the depth of understanding in CUI. Organizations must continue working with their DoD and Federal partners to understand what CUI needs to be protected and where it is in order to properly perform third-party and self-assessments.
Impact on State and Local Governments
CMMC 2.0 will aid Federal agencies’ ability to buy and implement new technologies by allowing for more flexibility for contractors to gain CMMC certification. By making the certification process simpler and more affordable, contractors can find a quicker path to certification and ultimately a smoother procurement process. While CMMC does not impact state and local government agencies for now, it’s reasonable to expect similar mandates to extend to the local level in the future. State and local governments will likely take their cue from Federal agencies and will be more likely to work with contractors who have gained certification and federal contracts, even though it is not currently required they work with vendors with CMMC certification.
State and local governments should keep a watchful eye on the continued rollout of CMMC as they look to incorporate similar requirements in their supply chain. More importantly, these governments should stay up to date on President Biden’s executive orders around cybersecurity as they could have cascading effects for those entities. There is nothing as broad and sweeping as CMMC at the state level but with the increased focus on cybersecurity, many states are introducing new cybersecurity legislation.
The latest changes to the Cybersecurity Maturity Model Certification are a great move by the Office of Acquisition and Development and the DoD to continue to hold the DIB accountable while providing a more flexible standard. CMMC 2.0 will allow more contractors to obtain the certification and adhere to the standards but, most importantly, the second iteration is creating greater public buy-in.
The U.S. government has taken great first steps to modernize its own cybersecurity efforts before extending a set of audited requirements to the entire government supply chain. A government-wide implementation of CMMC or something very similar is not out of the question, but don’t expect to see it before CMMC demonstrates some success with its new model or before the DoD’s full phase-in by 2026.