The Department of Defense’s cybersecurity compliance program for contractors will be pared down in scope and expectations, according to an acquisition regulation document.
The Cybersecurity Maturity Model Certification (CMMC) will no longer require every contractor to get a third-party certification if they do not touch controlled unclassified data, a change that could reduce the cost of compliance for thousands of contractors.
Under the new CMMC model, which is known as CMMC 2.0, the number of security tiers is being shrunk from five to three. Novel CMMC maturity practices will also be eliminated from the standard.
CMMC has caused both excitement and heartache for the defense contracting industry since it was first floated in 2019. Advocates argue the assessments would raise cybersecurity standards across the defense industrial base, while critics say it would penalize small businesses that can’t afford to comply with the requirements.
The new regulation document was published on the Federal Register Thursday morning, before shortly afterward being withdrawn.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Jesse Salazar, deputy assistant secretary of defense for industrial policy, said in a release. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
The changes are outlined in a proposed rule change to the Defense Federal Acquisition Regulation (DFARs) that is set to be published Nov. 5.
Following the changes, level three of the model will be bifurcated, meaning that only prioritized contracts will require third party assessments. Some level three contractors handling controlled, unclassified information (CUI) will be able to follow self-assessment protocol, following current DOD acquisition protocol.
Other changes that will impact contractors include an allowance for “Plan of Action and Milestone” (PoAM) reports, allowing contractors that do not meet every security control time to prove that they will in the future. Allowing for PoAMs has been a point of contention because failure to meet a control in a CMMC inspection would have meant a contractor could not work with DOD. PoAMs will give contractors the ability to still pass an assessment even if they are not meeting all the requirements at that time.
The new CMMC rule also introduces a broader waiver process for contractors.
The new model comes after industry groups had urged DOD for clarity on how CMMC will be implemented. Former leaders, including former Undersecretary for Acquisition and Sustinament Ellen Lord, had also urged DOD to not “let the perfect be the enemy of the good” as officials reviewed the program.
Defense contractors are not the only group that could be impacted by the changes. An industry of assessors, consultants, trainers and other cyber experts was expecting to meet demand for all 300,000 defense contractors that do business with the DOD. The vast majority of contractors that do not work on sensitive programs would have only needed a level one assessment, officials said.
With less demand, there could be less strain on the assessors that have been accredited by the CMMC Accreditation Body (CMMC AB), the third-party organization that oversees the ecosystem of assessors.
CMMC AB CEO Matt Travis recently expressed concern about the supply of certified assessors being able to meet the impending demand.
“In terms of a framework we have a pretty strong architecture, the real x-factor is are there enough Americans who are interested in becoming assessors?” he said during a recent interview with FedScoop. “I know it’s a tight labor market, so that’s probably the one thing I worry most about.”
Speaking to FedScoop, Eric Crusius, a partner at Holland Knight LLP, said questions remain over the precise nature of CMMC 2.0, but warned that allowing businesses to self-certify at CMMC level one could spur False Claims Act litigation.
“There would [likely] be a lot more room for whistleblowers under that regime,” said Crusius.
Editor’s Note: This article was updated to clarify that under CMMC 2.0, some contractors with level three designation will be able to self-certify.