Pentagon’s Updates to Cybersecurity Program Will Benefit SMEs

By Leslie Weinstein, Specialist Leader for Cybersecurity, Deloitte, Member of the IPC Thought Leaders Program

On November 4, the U.S. Department of Defense (DoD) unveiled a much-anticipated update to its Cybersecurity Maturity Model Certification (CMMC) program — called CMMC 2.0 — and electronics manufacturers will want to take note of the changes.

The CMMC program is the DoD's effort to bolster supply chain cybersecurity by requiring vendors to undergo third-party cybersecurity assessments. Under the original CMMC program, launched in 2020, every defense contractor was required to successfully undergo a third-party assessment of their cybersecurity program no later than November 1, 2025.

However, in an IPC survey and report released last June, 24 percent of electronics manufacturers said the costs of compliance with the CMMC could force them out of the DoD supply chain – potentially weakening the defense industrial base (DIB) while seeking to bolster security within it. 

According to the DoD, CMMC 2.0 is designed to minimize barriers to compliance by reducing costs, particularly for small businesses, and by clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards. To achieve this, companies within certain compliance levels will be able to conduct self-assessments in place of a third-party audit. Some companies may also be able to conduct self-assessments if there is a time-bound and enforceable plan in place to remediate any compliance gaps.

Below are the some of the notable differences between the original CMMC program and CMMC 2.0:

CMMC 1.0

CMMC 2.0

5 compliance levels

3 compliance levels:

  • Level 1 remains the same
  • Level 2 is previous level 3
  • Level 3 is previous level 5
  • Elimination of Levels 2 and 4

Level 3 required for Controlled Unclassified Information (CUI)

Level 2 required for CUI

All levels require third-party assessment

Assessment requirements vary by compliance level:

  • Level 1: Requires annual self-assessment
  • Level 2 (no information critical to national security): Requires annual self-assessment
  • Level 2 (handles information critical to national security): Requires triennial third-party assessments
  • Level 3: Requires DoD assessment

Level 3 equivalent to National Institute of Standards and Technology (NIST) 800-171 plus 20 CMMC practices and maturity processes (.999, .998, .997)

No CMMC practices or maturity processes; Level 2 will be equivalent to NIST 800-171

No gaps allowed

(100% compliance required)

  • Some gaps allowed if a Plan of Action and Milestones (POA&M) is in place
  • DoD will establish a minimum score requirement to support certification with POA&Ms
  • 45 critical controls can’t have gaps

 

So, what does this mean for manufacturers within the DIB?

Although many manufacturers may process and handle Controlled Unclassified Information (CUI), most do not handle information that is most critical to national security. As such, manufacturers will be asked to perform and submit only an annual self-assessment of their NIST 800-171 implementation.

However, this does not mean that the manufactures are off-the-hook for cybersecurity compliance. Instead, manufactures must ensure they have a plan to close those compliance gaps. While the threat of an on-site auditor to "kick the tires" has lessened, manufactures should still be ready to answer any questions regarding their compliance posture. As a reminder, the False Claims Act still applies here, and minimum scores are still required to be maintained regardless of self-assessment status. This means that the DoD will have the right to request documentation and proof of compliance at any time during the performance of a contract.

Given the many concerns that were raised about CMMC 1.0, these common-sense changes are a big improvement. IPC’s industry research report and input to a congressional hearing apparently had an impact. The DoD took IPC’s input and that of others seriously, and compliance burdens will be lessened for some of the most at-risk SMEs working within the DIB.

IPC will continue to advocate for the industry's interests in the CMMC program and will continue to help with industry compliance efforts. Stay tuned for an upcoming IPC webinar including yours truly and other experts, and please contact me or Chris Mitchell at IPC if you have questions or suggestions.