Cybersecurity and Government Procurement: CMMC 2.0 Model
Great news for government contractors working in the Cybersecurity industry! This week, after an internal review of CMMC 1.0 earlier this year, the Pentagon announced that the Department of Defense (DoD) is overhauling the requirements of the CMMC.
If you work in this field you’re more than aware of the Cybersecurity Maturity Model Certification (CMMC) and the Department of Defense’s implementation of CMMC 1.0 to drive the defense industrial base to protect their networks and sensitive data against domestic, as well as international, cyberattacks and theft.
The reason for this overhaul is the program came under fire from contractors and lawmakers alike who have concerns about the burden this places on small businesses, primarily the costs involved with becoming certified. This in turn created the issue that small businesses may very well be unable to compete in winning these contracts. This overhaul is said to reduce costs for small businesses, simplify cyber standards, increase trust in the CMMC assessment, curtail the administrative hardships in accomplishing cybersecurity compliance and clarify/align cybersecurity requirements to other federal requirements and commonly accepted standards.
The internal assessment team comprised leaders from 18 DoD components, including its Chair, Mieke Eoyang (Deputy Assistant Secretary of Defense for Cyber Policy); David Frederick (Executive Director of U.S. Cyber Command); David McKeown (Deputy Chief Information Officer for Cybersecurity); and Jesse Salazar (Deputy Assistant Secretary of Defense for Industrial Policy). Secretary Salazer has said about this overhaul,
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base.” … “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
CMMC 1.0 included five different cybersecurity maturity levels that graduate in difficulty. Third-party assessor organizations have been charged with certifying those companies. These organizations have been approved by an accreditation body. A big change we see in CMMC 2.0 is that the levels have gone from five to three. They are as follows:
- Level 1: the “foundational level,” will include 10 mandatory cybersecurity practices and require annual self-assessments.
- Level 2: known as the advanced level, will require compliance with the 110 practices aligned with the National Institute of Standards and Technology (NIST) Special Publication 800-171, as set forth in DFARS 252.204-7012.
- Level 3: the expert level, contractors will need to employ cyber hygiene that goes beyond the 110 NIST standard practices.
Other noteworthy information about these changes:
- Level 1 category companies and a subset of Level 2 companies can rely on self-assessments.
- The remaining Level 2 companies will have to undergo third-party assessments on a triennial basis.
- All companies in Level 3, however, will require triennial government-led assessments rather than third-party assessments.
- CMMC 2.0 will allow for waivers to the cybersecurity requirements under certain limited circumstances when the DOD must acquire select mission-critical requirements.
The CMMC 2.0 changes will be implemented after the completion of Code of Federal Regulations rulemaking for the Defense Federal Acquisition Regulation Supplement following the mandatory public comment period. During this rulemaking period (may be a 24 month period to complete), the Pentagon has said that it will not include CMMC 1.0 requirements in any contracts. Sometime during rulemaking we should see a published “comprehensive cost analysis” from the Pentagon giving contractors some insight into how much they will need to spend for each level to obtain full compliance.
It’s important for contractors to stay informed on these changes, as they could very well increase your chances of being awarded a contract. It’s also essential that contractors participate in the process of communicating and making public comments during the public comment period on how this new implementation of CMMC 2.0 could be more beneficial, practical and effective.
GovSpend has recently acquired Fedmine and our dataset has been made more robust and essential for vendors or contractors who work with agencies. Allowing you to see spending & P.O.s, co-op’s & contracts, contacts, and much more valuable information that can help supplement your plans into a more efficient strategy and gain a competitive edge over others. What are you waiting for? Create a free account with GovSpend to learn more.
- Pittman, Winthrop Shaw. “The Pentagon Scraps Its Current Cybersecurity CMMC Program in
- Favor of CMMC 2.0, Which Promises to Ease the Burden of Participating in Government Contracts.” 9 Nov. 2021, https://www.jdsupra.com/legalnews/the-pentagon-scraps-its-current-4723538/. Accessed 15 Nov. 2021.