Changes Coming to Defense Department's Cybersecurity Maturity Model Certification Under CMMC 2.0

The U.S. Department of Defense ("DOD") has published an Advanced Notice of Proposed Rulemaking ("ANPRM")1 previewing significant changes to its Cybersecurity Maturity Model Certification ("CMMC") program.2 The revamp, "CMMC 2.0," promises a more streamlined and flexible system for defense contractors and their suppliers to comply with CMMC and DOD's cybersecurity expectations, with practical changes soon coming into effect. [...]in addition to the 110 controls required for new Level 2, Level 3 certification will also require compliance with the controls in NIST's SP 800-172.7 The decision to equate Level 2 and 3 controls with NIST standards is especially notable in relation to other efforts by the Biden administration to centralize further NIST's role in federal cybersecurity, including under E.O. 14028.8 The ANPRM states that the new CMMC 2.0 framework will be implemented by a pair of rules in both Title 32 (National Security) and Title 48 (FAR and Defense Federal Acquisition Regulation Supplement ("DFARS")) of the Code of Federal Regulations ("CFR"), and that each will be open for public comment. DOD will not, however, accept a POAM for certain "high[ly] weighted" controls. [...]a company seeking to meet CMMC 2.0 requirements through a POAM must achieve a certain minimum threshold score.9 Further, eligible contractors must complete POAMs within 180 days of contract award after which a contracting officer may terminate the contract if controls have not yet been implemented.