The Department of Defense prepared and then withdrew a statement outlining a path forward for the Cybersecurity Maturity Model Certification. The original notice, expected to be published in the Federal Register Friday morning, suggested DoD would scale back the program and halt implementation, including new contract language, until the changes were finalized.
“Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the department will suspend the CMMC piloting efforts, and will not approve inclusion of a CMMC requirement in DoD solicitations,” DoD wrote in the statement. “The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.”
The statement was later withdrawn from publication in the Federal Register.
According to the initial notice, CMMC 2.0 would be scaled back to three certification levels, including a self-certification at level 1. Level 2 contractors would be designated as priority or non-priority acquisitions, with the latter also avoiding an independent third-party assessment. DoD did not announce any qualifications for the third and highest level.
CMMC 2.0 also would rely solely on NIST Special Publication 800-171, eliminating any additional controls, including CMMC-unique practices and all maturity processes. The updated model also would allow for DoD to accept plans of action and milestones and to develop a general waiver process.
Sources:
- NextGov: DOD Suspends Cybersecurity Certification Program Pending Major Changes
- National Defense: Pentagon Unveils CMMC 2.0 Cybersecurity Plans
- Federal Computer Week: DOD Revamps Controversial CMMC Program
- Federal News Network: Pentagon Strips Down CMMC Program to Streamline Industry Cyber Assessments
- CyberScoop: CMMC 2.0 to Pare Down Cybersecurity Requirements for Contractors