A pair of new federal regulations that were posted — and then withdrawn — from the Federal Register Thursday could bring significant changes to the Department of Defense’s Cybersecurity Maturity Model Certification program.
A pair of documents posted by DoD on the Federal Register titled “CMMC 2.0 The Way Forward” outline a series of major changes to the structure of the program, which was originally envisioned as a way for third-party assessors to independently certify that defense contractors are following established federal cybersecurity rules for controlled unclassified information.
The first iteration of the program had five levels and attempted to set up a convoluted body of third-party assessors to evaluate companies. Under the new proposal outlined in the documents, DoD would eliminate two levels (2 and 4) entirely and allow contractors to self-assess and affirm their compliance at Level 1. Level 3 certifications would be bifurcated, with “prioritized acquisitions” requiring independent assessors but everyone else only requiring annual self assessment and affirmation. The department is still developing requirements for how to handle Level 5, the highest level of security maturity.
Shortly after the documents were posted, they were withdrawn, but a statement from Deputy Assistant Secretary of Defense for Industrial Policy Jesse Salaazar confirmed the changes, predicting CMMC 2.0 will “dramatically strengthen the cybersecurity of the defense industrial base."
“By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements,” he said.
The changes, if confirmed, would represent the first major movement of CMMC in months. The program has been in limbo as DoD has kept quiet about its plans while it processes outside feedback. A previous rule-making process for the program received 850 comments from the contracting community and public, roughly half of which DoD said were directed at the broader structure of CMMC.
Additionally, the former official who spearheaded the program — Katie Arrington — has been on administrative leave for months, with no formal explanation from DoD as to why. In a lawsuit Arrington filed against DoD, her lawyers claim she was stripped of her security clearance in May and told it was due to unauthorized disclosure of classified information. Arrington denies the charges and is petitioning a D.C. court to compel the government to give her a hearing and complete its personnel review, but it has added another layer of confusion as to how DoD plans to proceed.
In testimony to Congress earlier this year, Salaazar told lawmakers he had assumed oversight of the program and outlined three challenges with the program’s impact that the Pentagon was grappling with.
One, the program’s stringent and costly requirements could potentially freeze out a large number of small businesses who are often among DoD’s best sources of innovation. Second, the department needed to de-conflict and clarify the various cybersecurity requirements and regulations that contractors must meet. Thirdly, DoD is uncertain it will have enough assessors to process the needs of hundreds of thousands of businesses in a timely fashion.
Outside observers have anticipated that DoD was planning to overhaul the program for some time. Robert Metzger, a procurement attorney, author of “Deliver Uncompromised” and a CMMC expert, told SC Media that he was “not especially surprised” at the scope of the changes, arguing that the program bit off more than it could chew from the outset. The program and its structure have been the subject of a flurry of discussion and debate within the contractor community, and the sheer volume of complaints indicated the program might not work under its original vision.
“I’ve been saying for several months that I thought the reach of CMMC as originally structured exceeded the available resources,” Metzger said in an interview. “CMMC was trying to do too much, affecting too many, too soon. I thought the DoD was struggling with those difficult questions.”
While Metzger supports the overall goal of the CMMC program and believes self-assessment and affirmation by contractors is “just not enough,” he also said imposing a complex and arduous process with new requirements upon potentially any contributor to the defense industrial base is “maybe putting too much burden upon the department” as well as many smaller businesses. He expressed hope that the department would use the opportunity to re-engage with industry on the new changes.
“It’s very clear the department was concerned that too much CMMC imposed on too many would be impossible for smaller businesses to accomplish and DoD was worried that it could lose small businesses from the industrial base and discourage innovators,” he said.
The CMMC Advisory Board, which was created to help DoD manage authorization and accreditation for the program, declined to respond to questions from SC Media about the rationale behind the changes or how the government would validate the self-assessments and affirmations of contractors. In a statement, CEO Matthew Travis said his organization supported the changes and said companies who participated in an interim program to receive certification under the original CMMC will be honored by the department.
“There will be some short-term challenges to confront such as curricula adjustments our training providers will now need to make, and the time requirement for yet another round of federal rulemaking," Travis said. "But now that there is a definitive way forward, I hope all parties move with alacrity."
Some think the changes are not as dramatic as they might seem at first glance. Jacob Horne, chief cybersecurity evangelist at Summit 7 Systems who focuses on CMMC compliance issues, said the changes may be more superficial than they first appear.
While eliminating independent assessments for level 1 contractors will affect a large number of companies, they are not the companies holding controlled unclassified information that DOD was originally worried about. Most of the companies that do hold such information are now in a single, bifurcated group where high priority contract work will be subjected to heightened requirements.
But almost all of the announced changes deal with the way CMMC operates at a programmatic level. The actual cybersecurity requirements that companies would need to map their operations to do not appear to have changed.
“The important idea is that the underlying requirements from CMMC 1.0 and CMMC 2.0 are identical,” Horne said, noting that both versions will be tied to security controls developed by the National Institute for Standards and Technology that are embedded in federal contracting laws.
Horne acknowledged that relying on self-assessment from contractors that they’re following legally mandated federal cybersecurity laws has been “an abject failure” and an impetus for starting CMMC in the first place. However, he said a major problem that DOD has failed to address throughout the process is finding a way to stop flooding the contractor community with controlled unclassified information.
While prime contractors often need the full suite of procurement and program information to do their jobs, many of their subcontractors do not and DOD could dramatically reduce the number of companies subject to the program simply by being more judicious with the information they share.
“The overall problem has been that the government is sending too much information into the supply chain. If you don’t have the information to begin with then you’re not really worried about it being compromised,” said Horne. “You have all of these sub-tier suppliers, machine shops…that are getting entire schematics, they’re getting critical information that they may not need, and the government has had no plan on how to reduce that flow of information.”