By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
Last week, the Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. The nascent cybersecurity compliance program came under criticism from the defense industrial base (DIB) because of its extensive requirements and onerous penalties.
The program changes come as a result of an extensive internal review which was prompted by over 850 public comments regarding the CMMC during the public comment period in the Fall of 2020 in addition to concerns raised by Congress.
The CMMC Accreditation Body (AB) held a Townhall this week to discuss how the changes will impact the process of certifying assessors, training requirements, and more. This Townhall featured Deputy Assistant Secretary of Defense Jesse A. Salazar, Deputy DoD Chief Information Officer for Cybersecurity David McKeown, and Buddy Dees of the CMMC Program Management Office. They reinforced much of the new information that is available on the CMMC website.
A key driver for the change, they said, was to fully align the CMMC with National Institute of Standards and Technology (NIST) cybersecurity standards, to ease the process of expanding the program across the government. Though not an official announcement, it does portend the expansion of the program outside of DoD.
Summary of CMMC Program Changes
| CMMC 1.0 | CMMC 2.0 | |
|---|---|---|
| Maturity Levels | 5 Levels | 3 Levels |
| Process Maturity Requirements (Policies and Procedures) | Required | Not Required |
| Level 1 Requirements | 17 Practices 0 Process Maturity | 17 Practices 0 Process Maturity |
| Level 1 Assessments | Triannual Third Party | Annual self-assessment |
| Level 2 Requirements (formerly Level 3) | 130 Requirements 3 Process Maturity | 110 Requirements (NIST SP 800-171) 0 Process Maturity |
| Level 2 Assessments | Triannual Third Party | Triannual Third Party Annual self-assessments |
| Level 3 Requirements (formerly Level 5) | 171 practices 5 Process Maturity | 110 Requirements. + Addtl reqs from NIST SP 800-172 |
| Level 3 Assessments | Triannual Third Party | Triannual Government-led assessments |
CMMC 2.0 Scoring System
CMMC 1.0 is officially over. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Over the next few weeks, an updated CMMC Assessment Guide for Levels 1 and 2 should be posted to the Department’s website. Additionally, CMMC 1.0 was essentially a 100% pass/fail assessment. Organizations had to pass all the practice and process maturity requirements to pass an assessment. CMMC 2.0 moves to a scoring system, most likely similar to the scoring process for NIST SP 800-171. However, certain, high-risk practices still cannot fail in a passing assessment. Organizations will be allowed to document plans of actions and milestones (POA&Ms) for other practices that do not pass, and DoD will establish a minimum score for passing assessments.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors. Questions? Contact us: Email | 804.747.0000
About the Author
Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.
More Insights from Christopher MoschellaThe information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.
