DOD revamps controversial CMMC program
After a nine-month review, the Defense Department is replacing its original cyber compliance program for the industrial base with CMMC 2.0, putting more emphasis on self-assessment.
The Department of Defense is revamping its cybersecurity compliance program for government contractors, after a nine-month internal review and complaints from vendors large and small over the cost and complexity of the requirements.
Cybersecurity Maturity Model Certification 2.0, announced Nov. 4, promises a new strategic direction for protecting federal contract information and controlled unclassified information that allows for more self-assessment, eliminates several tiers of compliance and reduces the role of third party assessment.
"CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base," Jesse Salazar, deputy assistant secretary of defense for industrial policy, said in a statement. "By establishing a more collaborative relationship with industry, these updates will support business in adoption the practices they need to thwart cyber threats while minimizing barriers to compliance with DOD requirements."
DOD will establish and implement new CMMC policies through the rulemaking process, including a period for public comment, according to a notice that was posted and then removed from the Federal Register on Nov. 4. That document states that CMMC pilots will be suspended until the CMMC 2.0 rule changes take effect, and that going forward CMMC requirements will not be included in DOD solicitations.
The move "raises the bar on security but reduces the compliance," said John Weiler, CEO of the IT-Acquisition Advisory Council and a frequent critic of the CMMC program.
The revamp of the CMMC program also appears to dovetail with a recent move by the Justice Department to launch the Civil Cyber-Fraud Initiative to target contractors that "put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches."
Weiler noted that companies that fraudulently self-assess could face false claims lawsuits from the DOJ's Civil Division.
Some details are still not available about the new program, in particular the status of the CMMC Accreditation Body, which has a contract to certify third-party assessment and training under the first iteration of the program.
Under CMMC 2.0, third party assessment will be focused "on companies supporting the highest priority programs," according to a one-page explainer released by DOD to announce the new direction of the program.
A version of this article appeared on FCW, a Defense Systems partner site.