Ah, CMMC, the acronym version of Jason Vorhees. Unkillable. Unknowable. Is it a man? A machine? Some sort of demon sent here to kill us ?
All we know is that Its name has been evoked in hushed tones for years now. Always the same. Leaning close so you can hear: “CMMC is coming. And it’s going to change everything.”
Or not.
With little fanfare, the Department of Defense announced in early November that the Cybersecurity Maturity Model Certification (“CMMC”) program is dead. But don’t worry. It’s immediately being replaced by CMMC 2.0 (the same thing, only less).
The new CMMC will have three levels of certification instead of five and will only be required of companies that handle covered information. The later part is a big relief to many small businesses that were worried about certification even though they never touch the type of information that someone would want to hack. A company that mows grass at Arlington National Cemetery probably doesn’t stand much risk of being hacked after all. It makes sense that those companies would not need a certain CMMC level to do their work.
Nobody asked, but here’s my take. CMMC started at a time when the federal government was very concerned about the vulnerability of its information to hackers. China and Russia were both open aggressors on this front. Who knows how many other state and non-state actors were at it? The biggest area of vulnerability turned out to not be the government itself—the federal government can control information going in and out and it can control the level of security it applies to that information—but the civilian companies it hired to do day-to-day non-governmental tasks. Many of the big headline-grabbing leaks were eventually traced back to vulnerabilities exploited in contractors with access, not the agencies themselves. To solve this problem, the government moved as swiftly as it could, which is to say not very quickly. It announced the CMMC program in early 2019 and said that it would be in defense contracts soon and that civilian contracts would probably follow.
Since then, it’s been stymied by delays and difficulty naming CMMC Third Party Assessment Organizations (called “C3PAOs“—the defense department sure does love its Star Wars references, doesn’t it?). Now, though nothing has changed about the threat being faced, the magnitude of CMMC is being significantly reduced.
So what changed? Again, this is just my theory, but it seems the mere specter of CMMC forced defense and civilian contractors who deal with sensitive information to take a hard look at their security procedures. That and as of November 2020, defense contractors had to self-assess their security against the National Institute of Standards and Technology standards. The government dragging their feet allowed time for them to any changes needed.
In short, the purpose of CMMC 1.0 was to plug the holes in the defense industrial base. That purpose has effectively been accomplished without CMMC being enacted. As such, CMMC could die.
Now the government has to keep cracks from forming. That’s a difficult task, no doubt, but much easier than simultaneously applying a universal standard to a multi-billion dollar collection of loosely connected industries. Much like Jason Vorhees, CMMC is back for a sequel.