Pentagon rolls out v2.0 of controversial CMMC program

WASHINGTON: The Pentagon announced Thursday that it’s rolling out version 2.0 of its Cybersecurity Maturity Model Certification, a program intended to improve the cybersecurity of the defense industrial base, but which has been mired in controversy and viewed with skepticism by industry from the start.

Given widespread industry criticism of the program, Deputy Assistant Secretary of Defense for Industrial Policy Jesse Salazar emphasized better partnership between the Defense Department and the private sector in announcing the latest updates.

“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Salazar said in DoD’s announcement. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”

Almost no one disagrees with the CMMC’s aims: To better secure sensitive, non-classified information shared by DoD with its commercial partners. But allegations of malfeasance, lack of adequate resourcing, logistical difficulties in implementation, the cost of compliance (especially for small- and medium-sized businesses or SMBs), and a dozen other criticisms have surrounded the program in the nearly three years since it was first unveiled.

DoD rolled out the interim rule for CMMC 1.0 as a Defense Federal Acquisition Regulation Supplement (DFARS) in September 2020, which went into full effect a year ago, with a five-year phase-in period. CMMC 2.0 overrides CMMC 1.0.

At its most basic level, CMMC is envisioned to be a tiered certification process whereby members of the defense industrial base, or DIB, can demonstrate the “maturity” of their cybersecurity programs against a set of increasingly advanced capabilities. These capabilities are, in turn, intrinsically tied to requirements for DoD acquisition programs. CMMC 1.0 contained five such maturity levels, but CMMC 2.0 has been streamlined into three tiers, DoD said on Thursday.

Whereas cybersecurity programs preceding CMMC allowed DIB companies to “self-attest” to their security capabilities, CMMC 1.0 introduced the requirement for third-party verification. This requirement was not in and of itself seen as controversial and even viewed by many as an improvement over self-attestation.

But the Accreditation Board created to green light who counts as qualified third-party assessors has been accused by self-described industry whistleblowers as being nothing more than a “pay-to-play” scheme, a claim reiterated independently by multiple sources to Breaking Defense over recent months. The explosive claims led to high-level resignations at the CMMC-AB last year.

Perhaps given this controversy, DoD said it will be “increas[ing] oversight of professional and ethical standards of third-party assessors.”

DoD also said CMMC 2.0 allows companies vying for Level 1 and some Level 2 requirements to self-assess. This move will, in practice, decrease the cost of certification, especially for DIB SMBs, as well as address criticisms that it will be nearly impossible for assessors to effectively evaluate the cybersecurity of some 300,000 DIB companies and their third-party suppliers on a regular basis.

DoD also announced new “flexible implementation” of the requirement, including certification waivers in some cases and the ability for some DIB companies in special cases to obtain initial certification based on a Plan of Actions and Milestones to achieve future compliance.

The Pentagon’s latest move is clearly intended to adjust the delicate balance between easing the process for companies to work with DoD against upholding security requirements that have teeth. As part of this effort, DoD developed Project Spectrum with the goal of assisting DIB companies in reviewing their cyber postures and implementing cybersecurity practices.

The update comes as DoD and industry await a highly anticipated Government Accountability Office report based on a CMMC program audit. Joseph Kirschbaum, director of Defense Capabilities and Management at GAO, told Breaking Defense the draft report is currently with DoD for comment and that GAO should receive those official comments soon — “within the next few weeks” — and then process the final report. GAO doesn’t yet have an official publication date set.

The audit involved three GAO teams and two industry groups working in collaboration. One of the two industry sources for GAO’s report, the IT Acquisition Advisory Council, released its preliminary findings in June. That report agrees with industry whistleblowers’ allegations that the “[Accreditation Board’s] marketplace has become a pay-to-play construct” and recommends its elimination altogether, along with a list of other reforms to the CMMC program. It remains to be seen whether GAO will adopt all or some of these recommendations in its final report.

Given the perceived challenges around implementing CMMC, some industry players have proposed creating a cloud environment — akin to DoD’s envisioned Joint Warfighting Cloud Capability — specifically for the DIB. These proposals, perhaps controversially, suggest the DoD and larger DIB prime contractors fund the lion’s share of building and operating the cloud environment, while essentially allowing smaller DIB firms to move data and resources there at minimal cost. Such an approach could drastically improve cybersecurity across all DIB businesses, while simplifying the certification and compliance process, proponents argue.

To date, DoD has not publicly shown an inclination to entertain the idea.