Attorneys: New CMMC approach shows evolution to strengthen defense contractor cyber posture, recognizing potential barriers

By Sara Friedman  / November 11, 2021

The evolution of the Defense Department's Cybersecurity Maturity Model Certification program reflects a response to concerns from the defense industrial base, according to attorneys, who said recent major changes show the Pentagon is taking into account pre-existing mechanisms for contractor compliance with cyber standards and is considering how the program can be implemented effectively.

CMMC 2.0 consolidates DOD’s cyber certification effort into three levels and relies heavily on NIST publications 800-171 and 800-172. The extra 20 controls in level two (formerly level three) are removed from the new model along with maturity processes.

Attorneys surveyed by Inside Cybersecurity questioned whether the Pentagon’s decision to walk back the CMMC model to align with the 110 controls in NIST 800-171 for level two is an effective approach and expressed concerns over where things stand with assessment organizations who have been preparing to conduct assessments since the first version of the maturity model debuted in early 2020.

Carl Anderson of Rock Spring Law Group said, “The potential impact of removing the extra 20 CMMC controls and all maturity processes is that companies might not create comprehensive policy and procedural documents as they otherwise would have created under CMMC 1.0 and in preparation for a third-party assessment. The extra 20 CMMC controls were created by the DOD without the Information Security Oversight Office (ISOO). The ISOO developed NIST 800-171 to protect [controlled unclassified information] in coordination with several stakeholders.”

Contracting attorney Robert Huffman of law firm Covington took a different approach, saying removing the controls and processes “will make it easier and less expensive for contractors to self-attest to or be independently certified to that maturity level. Many of the former additional controls and processes were vague, which could have resulted in disparities in the way that they were applied to particular contractors.”

Holland & Knight’s Eric Crusius said that the removal will “simplify things for contractors already compliant with existing standards and not force them to reinvent the wheel. Some of the controls were unique (not found in Level 1) and I imagine DOD made the assessment that the challenges to contractors were not worth the extra safety protections that those controls required.”

When it comes to assessments, DOD is removing the requirement for a certified third-party assessment organization (C3PAO) to evaluate a contractor for level one and will instead allow for them to self-attest annually.

A C3PAO assessment will be required for level three for a set of contractors handling sensitive controlled unclassified information under a bifurcated system, but DOD has not released the full details on how this new system will work in practice.

The changing role of the C3PAO and individual assessors will significantly impact stakeholders who have invested in the business model, the attorneys agreed.

Anderson said he thinks “there will not be a market for the small LLCs who incorporated for the sole purpose of conducting CMMC assessments. The companies who will be impacted by the third-party assessments initially will be large primes. The only companies who are qualified to assess multimillion-dollar assessments will be the established assessment organizations.”

Huffman and Crusius were hesitant to make sweeping statements on the future of the C3PAOs.

Huffman said there is still “a market for attesting against 800-171 exclusively,” adding “Furthermore, DOD appears to have left the door open for crediting contractors for CMMC Level 2 certifications obtained before CMMC 2.0 takes effect in contracts, so there may continue to be a market for C3PAOs and assessors even if it will be smaller than the market that would have existed under CMMC 1.0.”

Crusius took a different tack, saying: “For companies preparing for assessments, not much has changed because it seems Level 2 assessments will mostly be conducted by third-parties because the 2.0 model states that ‘select’ programs will not require a third-party assessment. Third-party certification, as of now, appears to be the baseline and contractors bidding on contracts that involve CUI will all be motivated to obtain a third-party certification.”

Another perspective

Contracting attorney Robert Metzger weighed in shortly after DOD’s CMMC 2.0 announcement in an interview with Inside Cybersecurity. Metzger is the co-chair of law firm Rogers Joseph O’Donnell’s Cybersecurity and Privacy Practice Group, and a co-author of MITRE’s “Deliver Uncompromised” report.

Metzger said he is worried the current edition of NIST 800-171 “is showing some signs of aging” and things have changed since it was last updated in February 2020. He argued NIST’s latest update to Special Publication 800-53 is “prodigious” with new categories added and a “new emphasis on privacy, supply chain risk management and software assurance.”

NIST 800-171 is derived from the catalog of security controls in NIST 800-53, an expansive document that forms the basis for the government’s approach to protecting information technology systems. Metzger said there needs to be a similar update to improve NIST 800-171.

“It is my impression that some companies believe there was a significant additional burden in meeting the plus 20 controls for [the original] CMMC level three and DOD was confronting a situation in 2.0 where it wanted to have assessment and certification to validate the security claims of its contractors, but it did not want to make that process so difficult and so expensive that it would drive valuable companies out of the industrial base. It is possible DOD concluded that 171 is the known basis for security,” Metzger said.

Metzger also weighed in on how the Pentagon could reward companies who planned to obtain a CMMC certification at the original level three.

“There is a value to companies being assessed and being found eligible for certification even before the program is a contractual requirement,” Metzger said. “Any company with that credential has a positive competitive discriminator. Any company with that credential should present less risk to a higher-tier customer or to the government itself. And for the accomplishment of getting a certificate, that reduces the risk to its buyer and improves the process of successful performance.”

Metzger added, “It is not inconceivable that DOD would grant a positive evaluation credit for companies that have achieved a CMMC certification on an interim basis” in its evaluation process for contractor credentials.

DOD is halting its CMMC pilot efforts and will not issue new contract solicitations with CMMC requirements while the formal rulemaking process to change the Pentagon’s acquisition rules is underway. That process could take anywhere from nine to 24 months, according to an estimate from the department.