After a nine-month review process, the Pentagon on Thursday rolled out a rebooted version of its Cybersecurity Maturity Model Certification (CMMC) program that aims to “cut red tape” for compliance with the future cyber security contracting standards. 

The new “CMMC 2.0” model reduces the number of tiers of compliance from five to three and allows for more self-assessment opportunities on certain types of programs, rather than requiring a third-party certification for every case.

iStock Cyber Lock

“Together, these enhancements: Ensure accountability for companies to implement cybersecurity standards while minimizing barriers to compliance with DoD requirements, instill a collaborative culture of cybersecurity and cyber resilience and enhance public trust in the CMMC ecosystem, while increasing overall ease of execution,” the department wrote in a statement.

During its rollout over the last couple years, CMMC had received some pushback from industry over the complexity required to meet certain standards and the costs associated with meeting compliance.

An internal review into CMMC was launched in March, according to the Pentagon, after more than 850 public comments were submitted in response to an interim rule that kickstarted the program in late 2020.

The Pentagon clarified that it has suspended all piloting efforts under the current CMMC model, and that the rulemaking process to implement another interim policy may take nine to 24 months.

The department, however, said it is looking into opportunities to provide incentives for contractors to “voluntarily obtain a CMMC certification in the interim period.”

A final rule for the original version of CMMC was expected to go into effect this past spring, with the department aiming to start with 10 to 15 programs as part of its five-year phased rollout (Defense Daily, Oct. 6). 

CMMC 2.0’s three tiers, in order of least to most stringent standards, include Level 1 or “Foundational” covering 17 cyber security practices and requiring an annual self-assessment, Level 2 or “Advanced” covering 110 cyber security practices and requiring an annual self-assessment for programs that don’t touch controlled unclassified data or a triannual third-party certification and Level 3 or “Expert” covering more than 110 cyber security practices and requiring triannual third-party certifications. 

The Pentagon said the pared down tier levels and expanded opportunities for self-assessment will help reduce costs, while officials are focused on increasing “oversight of professional and ethical standards of third-party assessors.”

With CMMC 2.0, under certain circumstances companies will be allowed to set plans of action for meeting certification standards and allow for waivers in very specific cases, according to the department.