Since the United States Department of Defense (DoD) published multiple cybersecurity-related interim rules in late 2020, industry has been anxiously waiting for updated guidance on how the proposed Cybersecurity Maturity Model Certification program will be updated. Over a year after the publication of those interim rules, DoD submitted an “Advance notice of proposed rulemaking” to the Federal Register dated November 1, 2021. The unpublished document, entitled “Cybersecurity Maturity Model Certification 2.0 Updates and Way Forward”, which you can be viewed via the link below, sets forth significant changes to the CMMC program, including:
- Eliminating levels 2 and 4 and removing CMMC-unique practices and all maturity processes from the CMMC Model;
- Allowing annual self-assessments with an annual affirmation by DIB company leadership for CMMC Level 1;
- Bifurcating CMMC Level 3 requirements to identify prioritized acquisitions that would require independent assessment, and non-prioritized acquisitions that would require annual self-assessment and annual company affirmation;
- CMMC Level 5 requirements are still under development;
- Development of a time-bound and enforceable Plan of Action and Milestone process; and,
- Development of a selective, time-bound waiver process, if needed and approved.
However, as of 11:15 AM eastern on November 4, 2021, the document has been withdrawn from the Federal Register (see Federal Register :: Public Inspection: Cybersecurity Maturity Model Certification 2.0 Updates and Way Forward).
DoD has, however, published a “CMMC 2.0” update to the DoD Acquisition and Sustainment website (OUSD A&S – Cybersecurity Maturity Model Certification (CMMC) (osd.mil)). We will provide additional updates as they become available.