• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Government Contracts Blog

  • Home
  • Services
  • Meet Our Team

Department of Defense Suspends the CMMC Pilot Program And CMMC Requirements In DoD Solicitations Pending Major Changes For CMMC 2.0

November 8, 2021 By Amy Mushahwar and Jon Knight

The Department of Defense (DoD) recently announced it will be revamping the nascent Cybersecurity Maturity Model Certification (CMMC) program pending two separate rulemaking processes.  As detailed below, the DoD will be updating “the program structure and the requirements to streamline and improve implementation of the CMMC program.”  We will be monitoring the rulemaking process for more details as they are known.  However, the primary short-term takeaway is that until the rulemaking process is complete, the DoD is suspending the CMMC Pilot Program and will not include CMMC requirements in any DoD solicitations.  However, the DoD is evaluating how it could “provide incentives” who voluntarily obtain a CMMC certification in the interim.

CMMC 1.0 Included Five Certification Levels And All Levels Required A Third Party Assessment For Certification.

CMMC 1.0 was designed to have five certification levels: (1) basic cyber-hygiene; (2) intermediate cyber-hygiene; (3) good cyber-hygiene; (4) proactive; and (5) advanced/progressive. These levels, achieved based on scoring for up to 173 different controls, were derived from multiple other cybersecurity standards but unified into a whole framework.  Additionally, in order to be certified at a particular level under CMMC 1.0, a contractor was required to be assessed by a CMMC Third-Party Assessment Organization (C3PAO).  But accrediting and approving these C3PAOs proved to be a significant bottleneck for CMMC 1.0.

CMMC 2.0 Will Only Include 3 Certification Levels

According to the DoD’s announcement, CMMC 2.0 will eliminate certification Levels 2 and 4.  It appears that the requirements for Level 1 will remain the same, while the requirements for the new Level 2 (formerly Level 3) will be split depending on the needs of specific procurements.  The new Level 3 (formerly Level 5) requirements are still under development.  The DoD also announced it is “removing CMMC-unique practices and all maturity processes from the CMMC Model.”

CMMC 2.0 Will Allow For Self-Certification To Some Requirements. 

Instead of requiring that all certifications be conducted by a C3PAO, CMMC 2.0 will now allow for self-certification in some circumstances.  For Level 1, contractors will now be able to conduct annual self-assessments with an annual affirmation by company leadership.  For Level 2, the DoD will now identify “prioritized acquisitions” and related CMMC requirements that would require independent assessment and certification and “non-prioritized acquisitions” that that would require an annual self-assessment and company affirmation. While these self-attestations and company affirmations may increase the risk of potential False Claims Act liability, it will remove the costs and administrative burden on contractors of conducting and maintaining certifications.  It does, however, increase the importance of a careful, thorough self-assessment process conducted under privilege to reduce any False Claims Act risk.

CMMC 2.0 May Also Include A Waiver Process.

Flexibility in implementation is another stated goal for CMMC 2.0.  As such, the DoD plans to create a waiver process where specific CMMC requirements could be waived by the procuring entity under certain circumstances.  Details on this waiver process are not yet known.

Filed Under: Advice to Contractors & Grant Recipients, Defense, Information Technology, IP and Research in the Government World Tagged With: Cybersecurity, Cybersecurity Maturity Model Certification (CMMC), False Claims Act (FCA), U.S. Department of Defense (DOD)

About Amy Mushahwar

Amy Mushahwar is a partner on the Privacy & Data Security and Cybersecurity Preparedness & Response teams. Amy has over 20 years of experience in the technology space and focuses her practice on data security, cyber risk, privacy, and emerging technologies. She advises clients on proactive data security practices, data breach incident response, and regulatory compliance.

[Read Bio]

About Jon Knight

Jon Knight is a senior associate on Alston & Bird’s Privacy, Cyber & Data Strategy team in the Washington, D.C. office. He focused his practice on cybersecurity and privacy compliance and enforcement, as well as emerging technology issues.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Government Contracts team and provides insights on cases, rules, trends, and latest developments in local, state, and federal government contracting. Our attorney observations include analysis of investigations, litigation, protests and issues affecting present or prospective prime contractors, subcontractors, and grant recipients across various industries.

Archives

RECEIVE EMAIL NOTIFICATIONS WHEN NEW POSTS ARE ADDED.

A confirmation email has been sent to the email address provided.

Categories

Secondary Sidebar

Recent Posts

  • The OFCCP’s New Contractor Portal: Here is What Federal Contractors and Subcontractors Ought to Know
  • Biden’s Infrastructure Funding Comes with Strings Attached
  • Department of Defense Suspends the CMMC Pilot Program And CMMC Requirements In DoD Solicitations Pending Major Changes For CMMC 2.0
  • Executive Order on Improving the Nation’s Cybersecurity: Biden Implements New Reporting Requirements on IT Government Contractors
  • Is There a Road Forward for Biden’s Infrastructure Plans?
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.