Is the new CMMC rule going to be a draft rule or an interim final rule?
While an interim final rule was originally scheduled for release in May of 2023, which would have provided the Defense Industrial Base (DIB) with just one year to fully implement CMMC 2.0 requirements, it is now expected for a notice of proposed rule to be released instead. However, this is currently up in the air. The introduction of a proposed rule or an interim final rule will not be fully determined until May of 2023.
What changes can we expect in CMMC under the new rule?
The DoD has been very opaque about what might be included in the new CMMC rule. However, we do know a few things likely to make it into the new rule’s 100 rumored pages. Basic Self-Assessments, which are currently required triennially under DFARS 7019, are expected to become an annual requirement. It is suspected that this new clause will only be applied to new contracts, which is a slight change from previous iterations of the rule.
CMMC is expected to be required of all contractors who process, handle, or store CUI. It is unclear whether all or some of those companies handling CUI will be required to attain an independent certification. Currently, it has been indicated that most of the 80 thousand companies estimated to handle CUI by the DoD will need a Level 2 certification.
Additionally, recall that updates to NIST 800-171 —the list of controls which underlies CMMC— are currently underway. These changes will likely include adding new security requirements to the list. Beyond this, we do not know much about how these changes might look, but they are likely to all be additional, and at least some are expected to be drawn from Appendix E of 171. In other words, at least some Non-Federal Organization (NFO) controls are expected to be formally reintroduced to the CMMC framework.
Is the DoD considering a return to the Self-Assessment model?
In short, the DoD is highly unlikely to return to a Self-Assessment model for everything. Although anything is possible, the DoD has very consistently stated that they view the accountability inherent to independent, third-party assessments as vital to controlling risk within their supply chain. Recent research from Merrill showed that self-reported implementation of the current cybersecurity controls by the Defense Industrial Base (DIB) is only around 30%. This is far below the 100% required by the DoD.
It's important to note that the DoD’s insistence on Certified Third Party Assessment Organizations (C3PAO) verification is not the only voice that matters here. The prime contractor community is also looking for a mechanism to ensure the security of their downstream supply chains. A CMMC certification offers an easy approach for them, and based on what we are seeing in their supply chain questionnaires, they are taking it.
Basic Self-Assessments (BSAs) are expected to still be required. However, as stated above, we also expect the DoD to shift the submission of a BSA score to the Supplier Performance Risk System (SPRS) from a triennial requirement to an annual one.