The silence from the nine-month long Department of Defense internal review of their CMMC implementation has finally ended. The DoD review had multiple key objectives including:
- Safeguarding sensitive information to enable and protect the warfighter
- Dynamically enhancing DIB cybersecurity to meet evolving threats
- Ensuring accountability while minimizing barriers to compliance with DoD requirements
- Contributing towards instilling a collaborative culture of cybersecurity and cyber resilience
- Maintaining public trust through high professional and ethical standards
Yesterday, the DoD released a statement that the CMMC review was completed, and detailed modifications will be coming in the following days.
The DoD also announced that the modifications will be under a new CMMC implementation called “CMMC 2.0”, but this statement was later withdrawn.
Here are the key takeaways:
- The DoD is eliminating Levels 2 and 4, and removing CMMC-unique practices and all maturity processes from the CMMC Model. The new 3-Level model will greatly reduce the complexity of the original, especially with many organizations targeting Level 3 certification due to Levels 4 and 5 not being finalized.
- The DoD is now permitting annual self-assessments for Level 1. This enables small businesses to remain competitive when bidding for DoD contracts by removing significant cost requirements for third-party certification.
- The DoD is separating CMMC 2.0 Level 2 requirements to provide additional oversight for organizations that impact critical national security information. Those companies will require triannual third-party assessments while the remaining organizations can conduct annual self-assessments. Once again, a more practical approach to enable proper due diligence for sensitive information.
- CMMC 2.0 Level 3 (formerly Level 5) requirements are still under development. Given the lack of clarity around Level 5 to begin with, most organizations are likely not impacted as they will aim to achieve either Level 1 or 2 certifications.
- CMMC pilots and contract requirements have been suspended until CMMC 2.0 has been finalized. With CMMC 2.0 Level 2 requirements aligning with NIST SP 800-171, it would be a good idea for organizations to review and implement those controls as part of cybersecurity best practices.
We will launch additional analysis and recommendations once detailed modifications are announced.