The Defense Department recently streamlined its Cybersecurity Maturity Model Certification program.
As 2022 dawns, the Defense Department is hoping for a smoother path ahead for its process of ensuring that all defense industrial base contractors meet cybersecurity requirements for handling controlled unclassified information, or CUI.
In November, the Pentagon revamped the Cybersecurity Maturity Model Certification program, streamlining the process and increasing DOD oversight of professional and ethical standards in the assessment ecosystem.
There is hope that assessments of the companies that will serve as certified third-party assessment organizations (C3PAOs) could resume by the end of January, but the DOD is the final arbiter on that timeline.
“So the expectation is that everything will be worked out by early to mid-January, and then the assessments will resume,” said Jon Hanny, director of operations and CISO for the CMMC Accreditation Body, during a Dec. 20 virtual town hall, according to FCW.
Hanny said that C3PAOs were being added to the CMMC program as they become ready. “We are ramping up as much as we can,” he said.
DOD Aims to Simplify CMMC Process
In November, the DOD unveiled a revised version of the CMMC program, which underwent a lengthy internal Pentagon review last year following criticism from industry. A December report from the Government Accountability Office found that the DOD had not met its implementation goal for the program or adequately communicated key decisions with industry players.
The New CMMC 2.0 standard includes several key changes. Foremost, it streamlines the levels of certification from five down to three. Level 1, called “Foundational,” is an annual self-assessment with only 17 practices to follow. Level 2, dubbed “Advanced,” includes third-party assessments every three years for the protection of critical national security information, and annual self-assessments for select programs; companies must follow 110 practices aligned with the National Institute of Standards and Technology’s guide on “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The most advanced level, “Expert,” includes third-party assessments every three years, and vendors must follow more than 110 practices aligned with an enhanced version of NIST’s guide on protecting CUI.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” says Jesse Salazar, deputy assistant secretary of defense for industrial policy, in a DOD statement. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DOD requirements.”
The DOD also says that the new program includes reduced assessment costs because it allows more companies to demonstrate compliance through self-assessments, as well as more accountability via enhanced oversight of professional and ethical standards of third-party assessors Additionally, the DOD says the CMMC 2.0 program is more flexible, because it allows companies, under certain limited circumstances, to make “Plans of Action & Milestones” to achieve certification, and it grants waivers to CMMC requirements under certain limited circumstances.
CMMC 2.0 will now go through a rule-making process to be codified, which could take nine to 24 months, according to the DOD, and will become a contract requirement once rule-making is completed.
DOD says the changes were made in an effort to reduce compliance costs (particularly for small businesses), increase trust in the CMMC assessment ecosystem, and clarify and align cybersecurity requirements to other federal requirements and commonly accepted standards.
Matthew Travis, the CMMC Accreditation Body’s CEO, said in December that moving forward with assessments is dependent on DOD greenlighting the process, FCW reports. Assessments will also be affected by “preparing the IT systems assessment organizations will use to upload the assessment data and updated documentation to incorporate program changes,” according to FCW.
“I talked to a C3PAO authorized today, they’ve got customers ready to go,” Travis said. “So when that green light comes on, you’re going to see assessments starting.”