On November 4, 2021, the Department of Defense (DOD) announced it is revamping the Cybersecurity Maturity Model Certification program. The changes are intended to make the program more streamlined and flexible, which, in turn, will make it easier (and cheaper) for contractors to implement. Details of the revised program are limited, but some of the highlights include:
- Fewer Levels: CMMC 2.0 will have only three levels of certification rather than five, and they will align more closely with existing cybersecurity standards. For example, Level 2 will align with NIST SP 800-171, the standard that applies when contractors handle controlled unclassified information.
- Self-Assessments: Level 1 certifications, and in some cases, Level 2, can be based on self-assessments, whereas CMMC 1.0 did not allow for self-assessments. This will relieve many, if not most, contractors from the burden and expense of undergoing a third-party assessment, but it will also increase the potential for liability under the False Claims Act for contractors who incorrectly certify their compliance.
- Flexible Timing: Contractors can be certified even if they do not meet all of the requirements as long as they have a clear plan as to when and how they will achieve those requirements. That flexibility will be limited, however, as certain requirements will have to be met prior to certification.
The DOD is implementing CMMC 2.0 through the rulemaking process and has indicated that the requirements will not appear in any contracts until that process is complete. The DOD estimates that could take anywhere from nine months to two years. In the meantime, the department is canceling its rollout of CMMC 1.0, which was supposed to be incorporated into an increasing number of contracts over the next five years. Therefore, while contractors are still encouraged to strengthen their cybersecurity, they do not have to worry about complying with CMMC for the time being.