EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
On November 4, 2021, the Department of Defense (DoD) announced long-anticipated changes to the Cybersecurity Maturity Model Certification (CMMC) program as a result of the internal review that began in March 2021.
The updated model is being called CMMC 2.0. Summary of key changes include the following:
Streamlined model to eliminate Levels 2 and 4, leaving:
Level 1 — Foundational (equivalent to previous Level 1)
Level 2 — Advanced (equivalent to previous Level 3)
Level 3 — Expert (equivalent to previous Level 5)
CMMC-unique practices and all maturity processes are being eliminated
Certain levels will have assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs):
Level 1 contractors and a subset of Level 2 contractors will require annual self-assessments and submission of affirmations by senior company officials
Level 2 contractors managing information critical to national security will require an assessment by a C3PAO
Level 3 contractors will require triennial government-led assessments
Certifications can be achieved with an active Plan of Action and Milestones (POA&M) in limited circumstances; however, POA&Ms cannot be for highest-weighted requirements
CMMC waivers can be obtained in limited circumstances
DoD rulemaking to address the changes of CMMC 2.0 is expected to take 9 to 24 months and will require two distinct rulemaking processes:
Updates to Title 32 of the Code of Federal Regulations (CFR)
Updates to applicable Defense Federal Acquisition Regulation Supplement (DFARS) contracting clauses and Title 48 of the CFR
Although CMMC will not be included as a requirement in any solicitation until the final rules are issued, the DoD is considering incentivizing organizations who undergo and pass a CMMC assessment by a C3PAO in the meantime. Potential incentives that are currently being considered include additional profit margins and source selection evaluation criteria that factors network security of the organization.
The path forward for organizations contracting with the government
While organizations in the Defense Industrial Base wait for the rule finalizations, they should continue their journey of improving their cybersecurity posture. For organizations that already have contracts that include the DFARS 252.204-7012 clause and are targeting Level 2 of CMMC 2.0, it is primarily a continuation of that effort with the main difference being that they will need to undergo an assessment by a C3PAO.
If your organization is targeting Level 1, don’t sigh in relief too early. Companies should be mindful of the annual assertions that are required and the potential risks, including False Claims Act (FCA) violations. Deputy Attorney General Lisa O. Monaco’s recent announcement regarding the creation of the Department of Justice’s Civil Cyber-Fraud Initiative indicates the government’s focus on FCA as a tool to pursue any assertions.
Summary
The Department of Defense announced changes to the Cybersecurity Maturity Model Certification. This overview of the updated model - CMMC 2.0 – outlines some of the key changes and what actions organizations should take.
About this article
Authors
US Forensics Government Contract Services Leader
Senior Manager, Forensic & Integrity Services, Ernst & Young LLP
Senior Manager, Government Contract Services, Ernst & Young LLP