WASHINGTON — The Pentagon said Thursday it’s moving forward with a controversial cybersecurity initiative meant to secure the networks of hundreds of thousands of defense contractors, who have increasingly faced a barrage of sophisticated cyber attacks.
In a Nov. 4 release, the department unveiled the Cybersecurity Maturity Model Certification 2.0, which it said includes enhancements to the initial program first developed during the Trump administration.
The enhancements include simplifying the standard with additional clarity on regulatory, policy and contracting requirements; focusing the most advanced cybersecurity standards and third-party assessment requirements on contractors supporting the highest priority programs; and increasing oversight of professional and ethical standards.
The program, which is based upon a tiered cybersecurity framework that grades companies on a scale of one to five based on the level of classification and security necessary for their work, was initially conceived of to fight contractor information being exploited by adversaries. Officials have previously said adversaries cost the country $600 billion a year in cyber theft.
But some contractor advocates have argued the program will be expensive and onerous, particularly for small businesses and non-traditional contractors. The Pentagon in one planning document estimated it could affect as many as 300,000 contractors.
The initial CMMC program took effect through a September 2020 interim rule to the Defense Federal Acquisition Regulation Supplement. However, earlier this year, the DoD began a review of CMMC based upon public comments.
That internal assessment was conducted by Mieke Eoyang, deputy assistant secretary of defense for cyber policy; David Frederick, executive director of U.S. Cyber Command; David McKeown, deputy chief information officer for cybersecurity; and Jesse Salazar, deputy assistant secretary of defense for industrial policy, with other senior leaders from 18 components across DoD.
DoD said the enhancements to the program will ensure accountability for companies to implement standards while minimizing compliance barriers and generally make the program easier to execute.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Salazar said. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
The changes to the CMMC program will be implemented through the rulemaking process. In the meantime, DoD will suspend current CMMC piloting efforts and will not approve inclusion of a CMMC requirement in any DoD solicitation until the final rule.
The CMMC Accreditation Body expressed support for the Pentagon’s shift in a Thursday statement.
“We congratulate the Department of Defense’s leadership and the CMMC Executive Steering Group on formulating what we see as meaningful and compelling improvements to the implementation of CMMC,” Matthew Travis, chief executive officer of the CMMC Accreditation Body, said. “The DoD approached this from the appropriate risk management perspective and delivered on what the internal review set out to accomplish: clarifying the standard, reducing the cost burden, improving scalability, and instilling greater trust and confidence in the CMMC Ecosystem.”
He also noted that there will likely be challenges ahead such as adjusting curricula for training providers and additional time for federal rulemaking.
The statement also pointed to changes in the technical standard for CMMC, removing the former levels 2 and 4 from the framework and designating level 1 as a self-attestation requirement only.
“The elimination of novel CMMC maturity practices from the standard and the inclusion of limited Plans of Action and Milestone (POAMs) as an acceptable form of remediation for certain CMMC practices will have a significant impact on how Defense Industrial Base (DIB) companies prepare for and implement CMMC,” the statement said.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.