Pentagon revamps CMMC program to help SMBs meet compliance standards

Dive Brief:

The Department of Defense is overhauling the controversial Cybersecurity Maturity Model Certification (CMMC) program, the Pentagon announced Thursday. The program is designed to raise standards for military contractors to protect against increasingly sophisticated threat actors targeting the U.S. defense industry.
CMMC, however, was bogged down with complaints from small- to medium-sized subcontractors and other military suppliers who called the program overly complex and so expensive that they could not afford to meet the requirements needed to achieve full compliance with the rules.
Under the new regulations, the DOD will pare down the number of CMMC compliance levels from five to three and contractors that handle less sensitive defense information can reach compliance without having to undergo assessments by third parties. The Pentagon will still require contractors handling more sensitive or classified data to go through more stringent assessments to reach compliance.

Dive Insight:

The streamlined CMMC 2.0 program is designed to cut red tape for small- to medium-sized businesses by making it easier for them to reach compliance. It also offers additional flexibility to reach goals through "plans of action and milestones" and allows officials to grant waivers in other cases, according to a DOD spokesperson.

"The Department of Defense must do everything it can to protect the hard working, entrepreneurial companies and workers in the defense industrial base," the spokesperson said. "Increasingly sophisticated and well-resourced cyberattacks, including state sponsored espionage, are threatening the U.S. and the rules based order on which the global economy relies. That's why [defense industrial base] cybersecurity is and will remain a priority."

The changes in the CMMC program would likely impact plans for civilian contracts in other federal agencies, as the General Services Administration had already prepared guidance to expand the cybersecurity standards program. The Department of Homeland Security more recently began moves to incorporate similar standards into its contracting process.

The CMMC Accreditation Body, an independent organization formed in January 2020, to help manage the certification process for defense contractors, welcomed the revisions made to the program.

"The DOD approached this from the appropriate risk management perspective and delivered on what the internal review set out to accomplish, clarifying the standard, reducing the cost burden, improving scalability and instilling greater trust and accountability in the CMMC ecosystem," Matthew Travis, CEO of the CMMC Accreditation Body, said in a prepared statement Thursday.

The defense industrial base includes more than 300,000 companies of various sizes from small, independent family sized businesses to multibillion dollar industrial parts and weapons makers.

From the earliest days of the CMMC program, there were concerns raised about whether the program as constructed would put too much pressure on the relationship between larger companies and their subcontractors, who might be forced out of the industry if they were unable to meet minimum standards.

Often, the smaller companies were entities targeted by nation-state and other threat actors as the weakest link in the chain. CISOs and other cybersecurity executives at large industry contractors have long been concerned about the ability of smaller partners to fall into compliance.

"CMMC, as reviewed, was very complex and would have been difficult for the government to sustain," said Mike Riecica, director, security strategy & risk at Rockwell Automation. "Smaller companies were starting to openly admit the cost of entry was a potential deterrent. As such, the DIB would have likely constricted as smaller companies walked away from opportunities."

CMMC 2.0 will help create a more sustainable solution, which if correctly defined, will correct the ambiguities of the first attempt, Riecica said. As a company that sits squarely within a defined level, Rockwell Automation will not be significantly impacted, Riecica said. The controls defined in previous versions would still apply moving forward.

However, Alla Valente, a senior analyst at Forrester Research, questioned whether the Pentagon was giving into concerns about burden sharing at the expense of security.

"Should our goal be to [get] small contractors into compliance or is the goal to get smaller contractors to adopt some minimum standard of security best practices?" Valente asked. "Compliance is our floor, not our ceiling. If the goal is to protect our nation's critical infrastructure, then it should be about the risk of small contractors not having the basic standards of security."

Valente agreed that moving from five to three levels and allowing contractors to achieve best practices rather than align with National Institute of Standards and Technology (NIST) compliance levels would ease the barrier to entry. However, Valente questioned whether allowing companies at Levels 1 and Level 2 to self-certify rather than go through a third-party assessment was too risky without some way of independent verification.