It was last November that the Department of Defense (DoD) announced a new “strategic direction” for its Cyber Maturity Model Certification (CMMC), which sought to address the issues the first iteration faced including the cost and complexity. The new version, CMMC 2.0, was meant to better align with existing federal standards, and to cut red tape for small and medium-sized businesses.
CMMC 2.0, which is still a comprehensive framework meant to protect the defense industrial base from increasingly frequent and complex cyber attacks, would also set new priorities for protecting DoD information; and potentially reinforce cooperation between the DoD and industry in how it addresses evolving cyber threats.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Jesse Salazar, deputy assistant secretary of defense for industrial policy, explained last November. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
A CMMC Do Over with 2.0
The CMMC program now includes cyber protection standards for companies in the defense industrial base (DIB), which has found itself the target of cyberattacks by adversaries and non-state actors. By incorporating cybersecurity standards into acquisition programs, CMMC was meant to provide the DoD with the assurance that contractors and subcontractors are meeting Pentagon’s cybersecurity requirements.
CMMC 2.0 was also meant to reduce the security certification tiers from five to three while it also removed the third-party assessment requirement for level one and part of level two, which in turn allowed contractors to return to self-attestation. In addition, CMMC 2.0 will now require a third-party assessment, which will retain assessors, just in a smaller market as “level three certification” will still require government assessors, which are already in short supply and high demand.
CMMC 2.0 is still being seen as providing incremental improvements, and it isn’t actually the final word in cybersecurity for the DoD. Some have even questioned whether it is even the step in the right direction.
“Given the sharp expansion in the threat landscape and uptick in attacks, it’s no surprise that there is already lots of talk around the CMMC updates in 2022,” explained Garret Grajek, CEO of the cybersecurity firm YouAttest.
“Many feel that the last update weakened the original wording, which surprised many in light of the international and state-sponsored hacking,” Grajek told ClearanceJobs. “The audit community feels that external audits are needed to ensure the all relevant controls are met and to add teeth to this important DoD guidance.”
Building on DoD 8570 Compliance with DoD 8140
In 2005, DoD Directive 8570 was issued to identify, tag, track and manage the information assurance, or cybersecurity, workforce. DoD 8570 also established a manual that includes an enterprise-wide baseline IT certification requirement to validate the knowledge, skills and abilities of people working in cybersecurity roles. It was replaced by DoD Directive 8140 in 2015, which further expanded upon it.
DoD 8140 was designed to be more flexible and inclusive than DoD 8570, and DoD 8140 included initiatives such as NIST NICE (National Initiative for Cybersecurity Education), which identifies critical KSAs (Knowledge, Skills, and Abilities) and places cybersecurity positions into seven categories including security provision, operate & maintain, protect & defend, analyze, operate & collect, oversight & development, and investigate; consisting of 31 specialty areas.
“For several years the policy called out in DoD 8570 defined goals for assurance, but now to practitioners the emergence of CMMC has made it all seem like there are more moving parts,” said Jim Purtilo, associate professor of computer science at the University of Maryland.
While the purpose of DoD 8570/DoD 8140 may seem to overlap with the CMMC, these two may not actually complement each other effectively, and instead could present new challenges for cyber candidates to meet.
“In reality it is different standards offices codifying much of the same content in different ways, so I think it is unfortunate that this adds another layer of complexity around security fundamentals which we should all embrace,” Purtilo told ClearanceJobs. “We could do a little better job of expressing expectations simply, and it seems likely that we will once the bureaucratic fevers which naturally grow around any such endeavors have run their course.”