US DOD’s CMMC 2.0 rules lift burdens on MSPs, manufacturers

New cybersecurity rules for US Department of Defense (DOD) contractors are entering the home stretch. The rules, which establish a comprehensive and scalable assessment mechanism within the agency’s Cybersecurity Maturity Model Certification (CMMC) program, aim to ensure that contractors and subcontractors are implementing information security measures required by the DOD.

The department, which has largely depended on security self-assessments by its suppliers in the past, has been criticized for some time by its inspector general for weak supervision of its suppliers. In a report released in December, IG Robert P. Storch noted his agency issued five reports from 2018 to 2023 which consistently found that DOD contract officials failed to establish processes to verify that contractors complied with selected federal cybersecurity requirements for controlled unclassified information (CUI) as required by the National Institute of Standards and Technology (NIST).

Storch also pointed out that, since 2022, his office has participated in five US Department of Justice investigations targeting government contractors and grant recipients suspected of fraudulently attesting their compliance with NIST cybersecurity standards.

CMMC a way to assure security in the DOD supply chain

“The CMMC requirements are a response to the DOD inspector general’s reports as a way to assess and verify compliance with the department’s security requirements,” says Brian Kirk, a senior manager for information assurance and cybersecurity at accounting and consulting firm Cherry Bekaert. “The aggregate loss of intellectual property and CUI from the DOD supply chain severely undercuts the U.S. technical advantage and disrupts business opportunities and ultimately threatens our national defense and economy.”

“By incorporating cybersecurity into acquisition programs,” Kirk continues, “the CMMC program provides the department assurance that contractors and subcontractors meet DOD cybersecurity requirements and provides key mechanisms to adapt to the evolving threat landscape. It’s a way for the department to assure security in the supply chain.”

Important change in how CMMS rules treat managed service providers

Robert Metzger, cybersecurity practice chair at the law firm of Rogers Joseph O’Donnell, says, “I see the rule as reaffirming the decision that self-attestation is insufficient for most DOD suppliers who have CUI and keeping the bar high in expecting NIST standards will be met.”

An important change from previous versions of the CMMS rules is how they treat managed service providers (MSPs). The previous version of the rules raised concerns about MSPs being required to comply with Federal Risk and Authorization Management Program (FedRAMP) rules, which provide a standardized approach to security authorizations for cloud service offerings (CSOs) for the federal government. Authorizations are granted at three impact levels–low, moderate, and high–although moderate accounts for most offerings that receive FedRAMP authorization.

CMMC might be unaffordable to too many companies.

“FedRAMP was never intended for the cloud services that commercial organizations provide other commercial organizations,” Metzger says. “So, the proposed rules do not subject managed service providers to FedRAMP moderate. They do suggest that if they hold or host controlled unclassified information, they will be subject to the same NIST requirements as are contractors who have the same information.”

“That change will allow more companies to make prudent decisions about the selection of managed service providers and other external service providers who can help them accomplish compliance and sustain security at a lower overall cost,” Metzger explains. “The big danger to CMMC is that it will be unaffordable to too many companies. The best answer to affordability is to enable companies to satisfy most of the specific cyber requirements by using external service providers. In order for that to work, we have to have a means to have those external service providers to be assessed or validated so companies have a marketplace of external service providers to choose from.”

Manufacturers no longer required to meet NIST standards

The proposed rules also let manufacturers off the hook for complying with NIST SP 800-171. SP 800-171 is a set of NIST cybersecurity rules to protect sensitive federal information. “The requirements of 171 set of cyber standards are designed for IT networks and information systems,” Metzger says. “They were never really designed for a manufacturing environment. It’s now said clearly in the proposed rules that the assessments won’t apply to operational technology.”

“That, to me, should cause manufacturers to breathe a huge sigh of relief because being required to meet NIST standards that simply don’t fit a manufacturing or OT environment is a recipe for trouble of many forms,” Metzger says. “The most important change is what did not change. The document has essentially the same structure and strategy that was in 1.0. It requires third-party assessments for a very large number of defense suppliers.”

The proposed version 2.0 of the CMMC rules was published in the Federal Register December 26. Interested parties have until February 26 to file comments with the DOD before the agency finalizes the rules.