Last week, the Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. The nascent cybersecurity compliance program came under criticism from the defense industrial base (DIB) because of its extensive requirements and onerous penalties.
The program changes come as a result of an extensive internal review which was prompted by over 850 public comments regarding the CMMC during the public comment period in the Fall of 2020 in addition to concerns raised by Congress.
The CMMC Accreditation Body (AB) held a Townhall this week to discuss how the changes will impact the process of certifying assessors, training requirements, and more. This Townhall featured Deputy Assistant Secretary of Defense Jesse A. Salazar, Deputy DoD Chief Information Officer for Cybersecurity David McKeown, and Buddy Dees of the CMMC Program Management Office. They reinforced much of the new information that is available on the CMMC website.
A key driver for the change, they said, was to fully align the CMMC with National Institute of Standards and Technology (NIST) cybersecurity standards, to ease the process of expanding the program across the government. Though not an official announcement, it does portend the expansion of the program outside of DoD.
Summary of CMMC Program Changes
|Practice: Verify and control/limit connections to and use of external information systems.|
CMMC 2.0 Scoring System
CMMC 1.0 is officially over. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Over the next few weeks, an updated CMMC Assessment Guide for Levels 1 and 2 should be posted to the Department’s website. Additionally, CMMC 1.0 was essentially a 100% pass/fail assessment. Organizations had to pass all the practice and process maturity requirements to pass an assessment. CMMC 2.0 moves to a scoring system, most likely similar to the scoring process for NIST SP 800-171. However, certain, high-risk practices still cannot fail in a passing assessment. Organizations will be allowed to document plans of actions and milestones (POA&Ms) for other practices that do not pass, and DoD will establish a minimum score for passing assessments.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors. Questions? Contact us: Email | 804.747.0000
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.