Christopher Moschella, Risk Advisory Services Senior Manager, Keiter
November 11, 2021
Last week, the Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. The nascent cybersecurity compliance program came under criticism from the defense industrial base (DIB) because of its extensive requirements and onerous penalties.
The program changes come as a result of an extensive internal review which was prompted by over 850 public comments regarding the CMMC during the public comment period in the Fall of 2020 in addition to concerns raised by Congress.
The CMMC Accreditation Body (AB) held a Townhall this week to discuss how the changes will impact the process of certifying assessors, training requirements, and more. This Townhall featured Deputy Assistant Secretary of Defense Jesse A. Salazar, Deputy DoD Chief Information Officer for Cybersecurity David McKeown, and Buddy Dees of the CMMC Program Management Office. They reinforced much of the new information that is available on the CMMC website.
A key driver for the change, they said, was to fully align the CMMC with National Institute of Standards and Technology (NIST) cybersecurity standards, to ease the process of expanding the program across the government. Though not an official announcement, it does portend the expansion of the program outside of DoD.
Summary of CMMC Program Changes
|
|
CMMC 1.0
|
CMMC 2.0
|
|
Maturity Levels
|
5 Levels
|
3 Levels
|
|
Process Maturity Requirements (Policies and Procedures)
|
Required
|
Not Required
|
|
Level 1 Requirements
|
17 Practices
0 Process Maturity
|
17 Practices
0 Process Maturity
|
|
Level 1 Assessments
|
Triannual Third Party
|
Annual self-assessment
|
|
Level 2 Requirements
(formerly Level 3)
|
130 Requirements
3 Process Maturity
|
110 Requirements (NIST SP 800-171)
0 Process Maturity
|
|
Level 2 Assessments
|
Triannual Third Party
|
Triannual Third Party
Annual self-assessments
|
|
Level 3 Requirements
(formerly Level 5)
|
171 practices
5 Process Maturity
|
110 Requirements.
+ Addtl reqs from NIST SP 800-172
|
|
Level 3 Assessments
|
Triannual Third Party
|
Triannual Government-led assessments
|
CMMC 2.0 Scoring System
CMMC 1.0 is officially over. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Over the next few weeks, an updated CMMC Assessment Guide for Levels 1 and 2 should be posted to the Department’s website. Additionally, CMMC 1.0 was essentially a 100% pass/fail assessment. Organizations had to pass all the practice and process maturity requirements to pass an assessment. CMMC 2.0 moves to a scoring system, most likely similar to the scoring process for NIST SP 800-171. However, certain, high-risk practices still cannot fail in a passing assessment. Organizations will be allowed to document plans of actions and milestones (POA&Ms) for other practices that do not pass, and DoD will establish a minimum score for passing assessments.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors. Questions? Contact us: Email | 804.747.0000
Chris Moschella is a Senior Manager within Keiter’s Risk Advisory Services practice. He is a Certified Public Accountant and a Certified Information Systems Auditor. He leads the Keiter’s IT and cybersecurity related audit and consulting services including the CMMC consulting practice. Prior to joining Keiter in 2016, Chris was a Manager at PricewaterhouseCoopers where he performed financial and IT audit related services in the Defense space for 8 years. Chris speaks regularly across Virginia covering a variety of topics related to cybersecurity and cryptocurrency.
Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
(for photo)
« Return to Newsletter