Why CMMC 2.0 Matters for Manufacturers

This article first appeared on CBIA's website and is published here with permission.

Cybersecurity is not just a technical issue but a critical business imperative for manufacturers engaged in defense contracts. 

The Department of Defense’s Cybersecurity Maturity Model Certification 2.0 represents a significant shift in the way manufacturers supporting defense contracts will have to approach cybersecurity. 

Currently, CMMC 2.0 is a proposed rule, not yet finalized and open for public comment until Feb. 26, 2024.

This period is crucial for manufacturers to familiarize themselves with the new requirements and prepare for compliance. 

The full implementation of these requirements in DoD contracts is not expected until 2026 or later.

In the interim, manufacturers engaged as DOD contractors or sub-contractors would be well-advised to use this time to understand the proposed changes, because the final rule will reshape cybersecurity practices in the defense supply chain.

New Certification Changes

CMMC 2.0 simplifies the prior complex CMMC framework by reducing the levels of certification from five to three. 

These levels enhance cybersecurity standards for contractors handling Controlled Unclassified Information and Federal Contract Information.

This change streamlines the process and aligns Level Two (Advanced) with the well-established NIST 800-171 standards. 

For many manufacturers, this means a more straightforward path to compliance and a more standardized set of expectations.

CMMC Level One

Contracts involving solely FCI^[1]require compliance with Federal Acquisition Regulation 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. 

This regulation, already in effect for most contracts governed by FAR, mandates compliance with 15 security measures considered “fundamental” for any organization seeking to establish basic cybersecurity. 

Manufacturers engaged on contracts involving FCI are obligated to meet all 15 requirements. 

CMMC Level Two

Level Two applies to contracts involving CUI.^[2]

Level Two requirements reflect the current obligations to protect CUI under DFARS 252.204-7012, which mandates defense contractors and subcontractors to provide adequate security on all covered contractor information systems by implementing NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. 

DFARS 252.204-7012 and Level Two Certification requires the implementation of 110 security requirements. 

For Level Two certifications, third-party organizations will perform assessments and certify compliance or identify critical gaps. 

The proposed rule includes an assessment appeals process, allowing manufacturers to challenge determinations made by a third-party assessment organization.

CMMC Level Three

Level Three is intended to include enhanced protection of CUI against Advanced Persistent Threats. 

An APT is an adversary that possesses sophisticated levels of expertise and significant resources that allow it to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). 

CMMC Level Three requires implementation of selected security requirements from NIST SP 800–172, Enhanced Security Requirements for Controlled Unclassified Information, to reduce the risk of APTs.

Level Three manufacturers must meet all the requirements of CMMC Level Two, plus an additional 24 selected security requirements from NIST SP 800-172.

New Assessment and Affirmation Requirements

Under the proposed rule, every DoD contractor, along with most subcontractors, will now need to complete an assessment of cybersecurity compliance. 

This assessment must then be reported through the DoD Supplier Performance Risk System. 

Further, a senior official from the prime contractor and subcontractor must annually affirm continuing compliance with the specified security requirements. 

The assessments and affirmation vary based on the manufacturer’s required level of CMMC certification.

The introduction of annual affirmation requirements in CMMC 2.0 creates potential legal risk associated with non-compliance or false certification. 

The False Claims Act imposes liability on any person who submits a claim (or a certification upon which a claim is based) to the federal government that the claimant knows (or should know) is false. 

Therefore, failure to comply could result in significant fines and penalties for a company and, in some cases, the individual. 

New Guidance Documents

The DoD made available eight additional guidance documents for CMMC 2.0 which covers the CMMC model, assessments, scoping, and hashing. 

Manufacturers are encouraged to read these guidance documents for additional information.

Conclusion

CMMC 2.0 marks a significant shift in the cybersecurity landscape for manufacturers engaged in defense contracts. 

The streamlined levels, alignment with NIST standards, and self-attestation pathways present a clearer framework for compliance and enhanced security with respect to CUI and FCI.

Please note that this article is intended to serve as a legal update and general overview of CMMC 2.0. 

The content provided herein is not exhaustive and does not encompass all aspects or complexities of the CMMC.

__________________

[1] See FAR 4.1901 (defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public web sites) or simple transactional information, such as that necessary to process payments.”)

[2] See 32 CFR § 2002 (defined as “[a]ll unclassified information throughout the executive branch that requires any safeguarding or dissemination control.”)