WASHINGTON — The Pentagon’s Cybersecurity Maturity Model Certification (CMMC) version 2.0 is on track to start at the beginning of next year, according to David McKeown, Deputy Chief Information Officer for Cybersecurity and Senior Information Security Officer at the Department of Defense.
The DoD published the new proposed rule of CMMC 2.0 on Dec. 26, 2023, long after the department announced CMMC 2.0 in November 2019. The goal of CMMC 2.0 is to create an upgraded version of the cyber certification program designed to strengthen the defense industrial base’s cybersecurity capabilities, while responding to industry’s complaints of CMMC 1.0 being too costly and restrictive.
“We are moving forward, we’re hoping by the first quarter of calendar year [2025] we’ll be able to start enforcing this and putting this in contracts as we go forward. We just keep plugging along because this has been discovered learning, and they’ve got so many roadblocks that have popped up and so much resistance to this, but we feel this is super important,” McKeown said during the Potomac Officer’s Club Cyber Summit on Thursday.
As with 1.0, CMMC 2.0, contractors who handle controlled unclassified information (CUI) would be mandated to adopt cybersecurity standards at different levels. However, CMMC 2.0 includes a three-level scale instead of the original program’s five-level scale, something McKeown said would reduce complexity by eliminating unique processes and security practices that are not necessary.
CMMC 2.0 reaffirmed that these contractors have to adhere to controls set by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
Related: New proposed rule for CMMC 2.0 lays out security requirements, raises some eyebrows
Other changes CMMC 2.0 plans to bring forward require contractors and subcontractors to do either self-assessments, evaluations by a third-party assessment organization (C3PAOs) or government evaluators, depending on the contractor’s capacity of controlled unclassified or classified information.
McKeown said these self-assessments are only doable through level 1 and some of level 2 — the levels with the least controlled unclassified or classified capabilities.
“So for the types of controlled unclassified and classified information that we don’t care that much about, they will be able to do the self-attestation […] they will not have to go though a CMS disaster,” McKeown said.
Level 3 partners, given their level of classification, will not be eligible for any self-assessments, but will have to go through government evaluators — a step up from C3PAOs.
“It’s not just about protecting the data. It’s about doing battle with persistent threats. We figured there’s about 600 companies here at this level. They will have to go through this more rigorous assessment,” McKeowen said of the companies with level 3 capabilities.
Because companies could utilize self-assessments instead, they would save on the costs industry partners would have to pay for the planning and reparation for the assessment, the assessment itself and the reporting of the results.
“In estimating the Public costs, DoD considered applicable nonrecurring engineering costs, recurring engineering costs, assessment costs, and affirmation costs for each CMMC Level,” the proposed rule states.
The public comment on the new rule ended on February 26, and the Pentagon is planning to roll out CMMC 2.0 in parts. The rollout phase is supposed to begin early next year, but the Pentagon intends to include CMMC requirements in all applications on or after Oct.1, 2026, according to the federal register. However, waivers may be issued in select cases.