cyber security, digital crime concept, data protection from hacker (Getty images)
WASHINGTON — President-elect Donald Trump has repeatedly promised to slash government regulations once he comes into office in January, but there’s at least one Defense Department provision that industry figures, and one key Pentagon official, say is likely safe from the deregulation campaign: CMMC 2.0.
CMMC 2.0, or the second iteration of the Cybersecurity Maturity Model Certification, is a framework that essentially mandates that companies who do business with the Pentagon must themselves achieve a base level of cybersecurity, subject to external audit.
“CMMC was initially started under the first Trump administration,” Stacy Bostjanick, the chief of defense industrial base cybersecurity in the DoD’s office of the chief information officer, said in November. “We have made such progress, and so many people recognize the need for it. It endured, and we went through and did the proper rule making steps to make it, to memorialize it. I don’t see it going anywhere.”
Similarly Eric Crusius, a partner and CMMC compliance specialist at Holland & Knight, said, “You’ll probably see regulations melting away in other areas, such as environmental rules or labor.”
But “with respect to cyber security, I think we’ll see a continuation of the policies that the Trump administration originally started because I think a priority for them is to protect our information from our adversaries, at least that’s their stated priority, and this is consistent with that,” he told Breaking Defense.
CMMC 1.0 was established in January of 2020 during Trump’s first term. Plans for an updated version, CMMC 2.0 were announced in December of 2023 under President Joe Biden and set new standards for contractors who handle controlled unclassified information (CUI).
CMMC 1.0 had a five-level scale for compliance, while CMMC 2.0 has a three-level scale. Additionally, a third-party assessment is being introduced depending on the level of CUI a contractor handles.
Contractors at Level 1, who handle “basic” protection of CUI and some contractors at Level 2 who handle “general” CUI protection can undergo self-assessments to ensure they are CMMC compliant. The remaining contractors who classify as Level 2 and all Level 3 contractors have to undergo a third-party assessment.
Earlier this week a final “rule” for CMMC 2.0 went into effect, called the 32 Code of Federal Regulations (CFR). This rule gives the Pentagon the authority to establish and enforce cybersecurity requirements through the CMMC framework, essentially defining the CMMC 2.0 program itself.
The next outstanding rule, 48 CFR, outlines how the CMMC 2.0 compliance will be integrated into DoD contracts, basically making the program a mandatory requirement. This rule will likely be released in the spring or summer of 2025, Bostjanick said. In summary, 32 CFR sets the standards and 48 CFR enforces those standards within contracts. (Bostjanick said that companies should not wait for the 48 CFR to come out to get their assessments completed.)
In order to avoid a scramble to meet the new regulations with little notice, those requirements won’t become mandatory until after a three-year phase-in period.
‘Threats Are More Real Than Ever’
Though some companies have expressed concern over the burden the cybersecurity regulations will put on them, Crusius said CMMC under Biden actually loosened a bit, paving a smoother road for a Trump administration to keep much of it in its current form.
“It was actually made a little bit more business friendly, I’d say, under the Biden administration,” said Cruisius, whose firm assists DoD contractors with being CMMC compliant. “My sense is that based on the platform that the Trump administration ran on, is that this will continue to stay in place.”
Similarly, Corey Bieber, a partner at K&L Gates, told Breaking Defense that given the current climate of cyber threats, he doesn’t see a reason why the Trump administration would backtrack CMMC.
“This is meant to combat cyber security threats, but specifically advanced persistent threats, as mentioned in CMMC. I think that those threats are more real than ever and I don’t imagine that the new administration is going to be backing off on investment in the Department of Defense in general when it comes to weapons,” he said. “So why would they back off when it comes to protecting their cyber assets?”
CEO of CyberSheath Eric Noonan, told Breaking Defense that the types of cyber related adversarial threats the US sees particularly from China is one reason Trump won’t diminish CMMC 2.0.
“It was actually President Trump’s administration that came up with CMMC and recognized the fact that we are under attack, largely by countries like China, as you saw with the recent telecom attack. What we’ve been doing isn’t working.”
“The Trump administration has a very strong track record of doing things to strengthen the supply chain, to strengthen cybersecurity, particularly when defending against the threat of China,” he later added.
CMMC’s Fate Not Decided, Though
Not everyone is so sure that CMMC 2.0 is sticking around. Quentin Hodgson, formerly the Pentagon’s director of Cyber Plans, told Breaking Defense that given the fact that Republican administrations tend to scale back on regulations, CMMC 2.0 requirements could be reduced.
“It’s possible that the new administration could decide to relook at that and say this is too high a burden or not the right way to approach improving cybersecurity standards in the defense industrial base,” Hodgson said of CMMC 2.0.
“I could see where there would be a relook at some of those things that were seen as maybe from a Republican or conservative point of view […] more heavy handed than it needed to be with respect to the private sector,” he added.
Somewhere in the middle of these opinions lies Emily Harding, vice president of the Defense and Security Department at the Center for Strategic and International Studies. Harding told Breaking Defense that she doesn’t think that the concept of CMMC is “perfect,” but it wouldn’t be the right call to get rid of the program entirely.
“You need something along the lines of a certification mechanism or an auditing mechanism. The general thought in the cyber security community is that you don’t want a compliance checklist, because then people just study for the test. You get to the point where you can check all the boxes off the checklist, and then not beyond that,” she said.
“Is CMMC perfect? No, however, you wouldn’t want to get rid of any kind of requirements at all, because I think that would have the opposite effect that you’re going for. This is one of those sort of technical questions that I would expect the Trump administration won’t tackle until they have people in place who actually understand it.”
Trump’s transition team did not respond to Breaking Defense’s questions with regard to plans for CMMC.
