DOD revamps controversial CMMC program

After a nine-month review, the Defense Department is replacing its original cyber compliance program for the industrial base with CMMC 2.0, putting more emphasis on self-assessment.

NOTE: This article was first published on

The Department of Defense is revamping its cybersecurity compliance program for government contractors, after a nine-month internal review and complaints from vendors large and small over the cost and complexity of the requirements.

Cybersecurity Maturity Model Certification 2.0, announced Nov. 4, promises a new strategic direction for protecting federal contract information and controlled unclassified information that allows for more self-assessment, eliminates several tiers of compliance and reduces the role of third party assessment.

"CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base," Jesse Salazar, deputy assistant secretary of defense for industrial policy, said in a statement. "By establishing a more collaborative relationship with industry, these updates will support business in adoption the practices they need to thwart cyber threats while minimizing barriers to compliance with DOD requirements."

DOD will establish and implement new CMMC policies through the rulemaking process, including a period for public comment, according to a notice that was posted and then removed from the Federal Register on Nov. 4. That document states that CMMC pilots will be suspended until the CMMC 2.0 rule changes take effect, and that going forward CMMC requirements will not be included in DOD solicitations.

The move "raises the bar on security but reduces the compliance," said John Weiler, CEO of the IT-Acquisition Advisory Council and a frequent critic of the CMMC program.

The revamp of the CMMC program also appears to dovetail with a recent move by the Justice Department to launch the Civil Cyber-Fraud Initiative to target contractors that "put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches."

Weiler noted that companies that fraudulently self-assess could face false claims lawsuits from the DOJ's Civil Division.

The CMMC Accreditation Body, which has a contract to certify third-party assessment and training under the first iteration of the program, praised DOD's decision to revamp the program. Among the changes it mentioned was the dropping of CMMC Level 2 and Level 4 and making CMMC Level 1 a self-assessment.

CMMC-AB CEO Matthew Travis called the changes "meaningful and compelling improvements."

"The DOD approached this from the appropriate risk management perspective and delivered on what the internal review set out to accomplish: Clarifying the standard, reducing the cost burden, improved scalability, and instilling trust and confidence in the CMMC ecosystem," he said.

Travis said that trainers will have to adjust their curricula but that this is a "short-term challenge."

Under CMMC 2.0, third party assessment will be focused "on companies supporting the highest priority programs," according to a one-page explainer released by DOD to announce the new direction of the program.