Defense Department easing cybersecurity regs for defense industry

New rules ease burdens, extend compliance deadlines

Two years ago, the defense industry was facing the mountainous task of complying with one of the most burdensome cybersecurity regulations ever created, the Cybersecurity Maturity Model Certification (CMMC). The pandemic postponed the implementation of CMMC. Now, the Department of Defense has significantly modified the regulations, calling them CMMC 2.0.

Here are a few examples of the important ways in which CMMC 2.0 eases the burdens and extends the deadlines for compliance.

Simplified classifications

The initial version of CMMC separated the defense industry into five different classifications. Under CMMC 2.0, although all defense contractors and subcontractors remain subject to the regulations, the structure is simplified into three classifications.

Level 1 is called the Foundational level, and encompasses entities that handle only Federal Contract Information (FCI) under the Federal Acquisition Regulations (FAR). FCI is information that is not intended for public release, and is either provided by or generated for the government pursuant to a contract to develop or deliver a product or service to the government. The DoD estimates that about 140,000 defense contractors and subcontractors fall with in this Foundational level of compliance.

Level 2 is called the Advanced level, and applies to entities that handle Controlled Unclassified Information (CUI), an umbrella term that includes a wide variety of information that a law, regulation or government policy requires or permits to be handled only using certain safeguards or dissemination controls, whether created by government or generated for the government by others. While there are hundreds of different laws, regulations and policies that may create CUI, the DoD typically marks, designates, or identifies information as CUI (or some sub-classification of CUI) when it qualifies as such. Also, the DoD and National Archives maintain CUI Registry listing the types of information that qualify as CUI. The DoD estimates that about 80,000 defense contractors and subcontractors must comply at the Advanced level.

Level 3 is called the Expert level, and will be required only for entities that work on the most sensitive DoD projects. The DoD estimates that only about 500 contractors and subcontractors will be subject to this level of compliance.

Standardized controls

Both the initial and revised CMMCs rely on cybersecurity standards promulgated by the National Institute of Standards and Technology (NIST), called Special Publication (SP) 800-171 and SP 800-172. However, the initial version of CMMC imposed additional requirements on defense contractors and subcontractors required to be above level 1. CMMC 2.0 eliminates that disparity, aligning the Advanced level with SP 800-171, and the Expert level with SP 800-172.

Adopting standardized controls in CMMC 2.0 enables entities that already use NIST (in whole or in part) for cybersecurity to more easily address CMMC compliance, and it enables professional services providers that commonly work with NIST to more readily and rapidly assist their clients to do so.

Expanded certification process

The initial version of CMMC imposed a complex process requiring third-party assessment and certification for all levels of defense contractors and subcontractors. Under CMMC 2.0, all Level 1 entities, and Level 2 entities that do not handle CUI that is critical to national security, can certify compliance through annual self-assessments. However, because self-certification is subject to the cyber-fraud initiative of the Department of Justice and an inaccurate self-certification raises False Claims Act liability, these Level 1 and 2 contractors and subcontractors still would be better protected through a third-party assessment, though the third party need not necessarily be a Certified Third-Party Assessment Organization (C3PAO) under CMMC.

Level 2 entities handling CUI that is critical to national security must certify at least once every three years with a C3PAO. Level 3 contractors and subcontractors will certify through an audited conducted by a division of the DoD called the Defendant Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center.

Extension for compliance

DoD must complete the rulemaking process for CMMC 2.0, and estimates that the process will somewhere from nine months to two years. Additionally, DoD has stated that it will not incorporate CMMC 2.0 into any defense contractors until that rulemaking process is complete, and it will not be mandatory to incorporate such requirements into agreements with subcontractors until that time either.

However, notwithstanding the fact that CMMC is not yet mandatory, many prominent defense contractors have already complied and are incorporating CMMC into their sub-contracts anyway. Moreover, compliance with CMMC 2.0 typically takes between two and three years, depending on the cybersecurity sophistication of an entity.

As a result, defense contractors and subcontractors should use the extra time created by the delay from CMMC 2.0 to work towards compliance with the regulations now, rather than attempting to rush to compliance in the last year before the deadline.

Cameron Shilling founded and chairs McLane Middleton’s Cybersecurity and Privacy Group. He can be reached at

Categories: Government, Law, Legal Advice