By Payam Pourkhomami, President & CEO of OSIbeyond
Read part one here.
What are the biggest changes in the new proposed CMMC 2.0 rule?
The new proposed Cybersecurity Maturity Model Certification 2.0 rule introduces several critical updates that government contractors must heed, particularly regarding the engagement with service providers and the management of security protection data.
For smaller contractors, who often rely on a combination of internal IT staff and outsourced resources, the new rules regarding managed services providers, or MSPs, and managed security services providers, or MSSPs, are of particular importance. The updated regulations require these service providers to be third-party certified to the same CMMC level as the contractor they are serving. This directive aims to create a uniformly secure environment across all echelons of service and supply to guarantee that cybersecurity standards are not compromised at any tier of service provision.
Unfortunately, this presents a substantial challenge, especially for contractors whose MSPs and MSSPs do not primarily serve the defense industrial base and thus may not find the cost of achieving such certification justifiable. Contractors must reassess their dependencies and possibly consider transitioning to service providers specializing in CMMC-compliant services.
Cloud service providers, or CSPs, also face new mandates under CMMC 2.0. These providers, which include widely used services like Office 365, Box and Dropbox, must now possess FedRAMP Moderate authorization or demonstrate an equivalent level of security compliance. Having said that, the equivalency, which would necessitate C3PAO approval of the CSP’s evidence, is anticipated to be a less traveled route due to the complexity and stringency of the validation process.
While security protection assets are a part of existing CMMC 2.0 scoping documentation, the CMMC rule as drafted includes new references to security protection data, or SPD. This data is defined, somewhat broadly, as encompassing elements like log data and configuration data. The inclusion of SPD will compel contractors to undertake a comprehensive review of their systems and tools that contribute to their security and compliance programs, potentially ranging from physical access control systems, SIEM platforms, cameras, project management tools, governance, risk and compliance systems, to training and HR software. Needless to say, the implication of this extended scope is a likely increase in costs and administrative burdens for contractors.
Last but not least, the new proposed rule introduces more stringent guidelines for reassessments and scope changes. It specifically states that “If the CMMC Assessment Scope changes due to infrastructure modifications or expansion of the CMMC Assessment Scope due to new acquisition, a new assessment may be required.” Typically, changes of this nature, particularly to infrastructure or the addition of assets and systems, happen far more often than the standard three-year certification assessment cycle. Therefore, most contractors will be impacted by this requirement that, as written, would require frequent reassessment for even minor changes to scope, such as the removal or addition of a contractor risk managed asset, or CRMA that does not store or process CUI.
When will CMMC 2.0 be implemented?
The journey toward full implementation of the CMMC 2.0 program is structured into a four-phase timeline.
Starting in Q1 CY 2025, the initial phase of CMMC 2.0 rollout will require that all new contracts demand a self-assessment for both CMMC Level 1 and Level 2 prior to awarding. For Level 1, this involves demonstrating complete compliance with the 17 essential requirements outlined by the FAR clause 52.204-21. Contractors aiming for Level 2 certification will navigate slightly different terrain, where limited deficiencies, known as Plans of Action & Milestones, or POAMs, will be permissible. These POAMs are bound by strict score requirements, certain non-negotiable “must pass” conditions and a stringent 180-day deadline to rectify any shortcomings. It is imperative for contractors to aim for full compliance from the outset, as reliance on the POAM allowances is not a viable long-term strategy.
Following six months after Phase 1, Q3 CY 2025 will usher in a new set of requirements. During this phase, the Department of Defense will introduce certification assessments as a default for new contracts, requiring contractors to undergo third-party assessments to verify their compliance. The DOD reserves the right to exercise discretion in enforcing this requirement, potentially delaying it under certain circumstances. Nevertheless, the expectation for most contractors will be to engage with a C3PAO to authenticate their cybersecurity measures.
By Q3 CY 2026, third-party certification will become mandatory for Level 2 contractors as a prerequisite for exercising contract option periods. This phase may also signal the introduction of CMMC Level 3 requirements into contracts.
The final phase of CMMC 2.0 implementation is projected for Q3 CY 2027, and it will see the program’s requirements integrated into all DOD solicitations and contracts, including the extension of current contracts during option periods. This comprehensive inclusion represents the culmination of the DOD’s efforts to standardize and strengthen cybersecurity practices across the entire DIB.
Conclusion
The CMMC 2.0 program represents a significant evolution in the Department of Defense’s strategy to protect vital information within the defense industrial base. It is a robust yet flexible model that anticipates and adapts to the varied capabilities of contractors so that every link in the defense supply chain is secure. Its rollout is scheduled to commence in Q1 CY 2025 with mandatory self-assessments for contractors seeking new contracts. As you consider the impact of these changes on your operations, remember that the investment in meeting these requirements is also an investment in your company’s competitive edge and in the trust of your government partners.
For more information, download the DoD Contractor’s Guide to CMMC 2.0 Compliance.
