Yesterday, the Department of Defense ("DoD") announced Version 2.0 of the Cybersecurity Maturity Model Certification ("CMMC") Program. Notably, CMMC 2.0 maintains the original CMMC 1.X Program's goal of safeguarding sensitive information, while:
- Simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements;
- Focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and
- Increasing Department oversight of professional and ethical standards in the assessment ecosystem.
Together with this announcement, DoD also updated its CMMC website to provide an overview of CMMC 2.0. Briefly, CMMC 2.0: (1) cuts red tape for small and medium sized businesses, (2) sets priorities for protecting DoD information, and (3) reinforces cooperation between the DoD and industry in addressing evolving cyber threats. The primary goals of CMMC 2.0 are:
- Safeguard sensitive information to enable and protect the warfighter
- Dynamically enhance DIB cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
To that end, some differences between CMMC 1.X and CMMC 2.0 are immediately noticeable. For example, CMMC 1.X included five Maturity Levels and required third-party certifications at each level. CMMC 2.0, on the other hand, removes the previous Levels 2 and 4, removes the maturity processes, and removes the excess practices from Level 3 to harmonize it with NIST SP 800-171.  With this new scheme, CMMC 2.0 will look like the following:
- Level 1 (Foundational) – 17 practices & annual self-assessment
- Level 2 (Advanced) – 110 practices of NIST SP 800-171 & triennial third-party assessments for "critical national security information" and annual self-assessments for select programs
- Level 3 (Expert) – Based on a subset of NIST SP 800-172 & triennial government-led assessments 
Interestingly, while CMMC 1.X required 100% compliance within a given Maturity Level, CMMC 2.0 will allow for covered systems under a plan of actions and milestones ("POA&M") to achieve certification "under certain limited circumstances."  And, while CMMC 2.0 will now allow self-assessments, defense contractors will also be required to include with that self-assessment an "an annual affirmation from a senior company official that the company is meeting requirements."
DoD's website indicates that CMMC 2.0 will be implemented through the rulemaking process – in both Part 32 of the Code of Federal Regulations and the Defense Federal Acquisition Regulation Supplement – and that defense contractors will be required to comply once the forthcoming rules go into effect.
DoD's CMMC 2.0 program is a drastic change from CMMC 1.X, which many believed would be burdensome on small business and could deter innovation in the defense industrial base. Instead, it appears CMMC 2.0 may represent a substantially less burdensome cybersecurity regulation. Regardless, given the frequency with which nation-state threat actors and their proxies are targeting the defense industrial base (e.g., ransomware, etc.), contractors should continue to be vigilant and ensure that their cybersecurity programs not only provide reasonable safeguards but also adhere to all relevant regulatory requirements.
 NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, available at https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final.
 NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, available at https://csrc.nist.gov/publications/detail/sp/800-172/final.
 In that regard, the DoD website provides that, "[t]he Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. The Department also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification."
Please reach out to a member of Maynard's Government Solutions Group if you have any questions or need assistance.
- Recent FCA Settlement Highlights Small Business Certification Issues in Private Equity Transactions
- 4 Takeaways: GAO Bid Protest Annual Report to Congress for FY 2023
- FCC Space Bureau launches its Transparency Initiative
- Joshua Duvall Quoted by Law360 on Federal Court Decision Impacting the SBA 8(a) Program
- ALERT: SBA to Require All Individually-Owned 8(a)s to Affirmatively Establish Social Disadvantage
- Maynard Nexsen Shareholder to present at 2023 National HUBZone Conference
- Court Enjoins Rebuttable Presumption in 8(a) Program: What's Next for Future, Current Participants?
- Hello Q4: SBA Clarifies 8(a) Sole Source Rules, Individual 8(a)s Have More Options for Larger Awards
- DoD Issues Proposed Rule to Address Domestic Preferences for Defense Contracts
- Biden-Harris Administration to Launch New Initiative to Increase Federal Contracting with Small Disadvantaged Businesses
- December 2023
- November 2023
- October 2023
- August 2023
- July 2023
- June 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- July 2022
- June 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- September 2019
- August 2019
- July 2019
- July 2017
- May 2017
- March 2016
- January 2013