A Technical Look at CMMC 2.0 Updates


A Technical Look at CMMC 2.0 Updates

In 2021, the US Department of Defense (DoD) updated the Cybersecurity Maturity Model Certification (CMMC) framework. The revamp makes the CMMC system more streamlined and flexible to allow defense contractors and their suppliers to comply with the DoD’s cybersecurity standards.

Related article: CMMC 2.0: What’s In the New Version?

 

Here are some important details about CMMC 2.0 that contractors should know: 

Graduation from CMMC 1.0 to CMMC 2.0

CMMC 1.0 intended to safeguard federal contract information (FCI) and controlled unclassified information (CUI) that DoD contractors and subcontractors collect and manage on non-federal IT systems. This framework has five maturity levels, with the cybersecurity standards growing more stringent the higher the level. DoD contracts were categorized by their required CMMC level, limiting them to the contractors that achieved the necessary certification level.

The DoD began an internal evaluation of CMMC 1.0 implementation in March 2021, based on over 850 public comments submitted in response to the interim Defense Federal Acquisition Regulation Supplement (DFARS) rule. This programmatic cybersecurity and acquisition review produced “CMMC 2.0,” which updates the program structure and requirements to align with the DoD's C5ISR program.

CMMC 2.0 closely aligns CMMC with other federal cybersecurity programs, such as the Department’s Cybersecurity Acquisition (CYBASE) and Assured Compliance Assessment Solution (ACAS), to increase the effectiveness of CMMC as a government-wide program.

CMMC 2.0 will be implemented in three phases: CMMC 1.5 (with CMMC 2.0 changes), CMMC 1.2 (existing CMMC 1.0), and CMMC 2.0 (new program). The CMMC 1.5 transition is expected to be completed by December 2023, while CMMC 1.2 and CMMC 2.0 will be implemented by December 2028.

Key CMMC updates

Similar to CMMC 1.0, CMMC 2.0 is based on the National Institute of Standards and Technology’s (NIST) cybersecurity framework. This framework defines its five main functional domains as identity, protection, detection, response, and recovery.

To eliminate the complicated overlaps of CMMC 1.0’s five tiers, CMMC 2.0 was pared down to three tiers. On CMMC 2.0, the demarcations between tiers are more obvious and less subject to subjective assessment.

Below are the key updates:

  • Levels 2 and 4 are eliminated, leaving three levels:
    • Level 1 (Foundational) – identical to CMMC 1.0 Level 1
    • Level 2 (Advanced) – similar to CMMC 1.0 Level 3
    • Level 3 (Expert) –similar to CMMC 1.0 Level 5
  • CMMC-unique practices and maturity processes are removed from all levels.
  • Annual self-assessments with an annual affirmation by Defense Industrial Base company leadership are now allowed under CMMC Level 1 (Foundational).
  • CMMC Level 2 (Advanced) assessments are now bifurcated into two requirements:
    • An independent third-party assessor is now required for prioritized acquisitions involving CUI.
    • Annual assessments with annual company affirmations are required for non-prioritized acquisitions involving CUI.
  • Government-led assessments are now required for CMMC Level 3 (Expert).
  • Guidelines for the development of time-bound and enforceable Plans of Action and Milestones (POAM) processes are provided.
  • Guidelines for the development of selective, time-bound waiver processes for certain circumstances, are provided.

Learn more about CMMC compliance from Charles IT Team Lead and Project Manager Mike Bailie: CMMC Webinar with Mike Bailie

POAMs and waivers

For CMMC 2.0, the DoD will now allow certain acquisitions to fulfill requirements via POAMs in place of a literal compliance process. Contractors with POAMs will be able to receive partial contract rewards while they make progress toward full compliance. However, the DoD will not accept a POAM for “highly weighted” controls. 

Furthermore, a firm attempting to comply with CMMC 2.0 standards through a POAM must achieve a certain minimum score. Finally, eligible contractors must finish POAMs within 180 days of contract completion.


Gear up your organization for CMMC 2.0 compliance and bag those DoD contracts with ease. Charles IT will help you prepare and manage your infrastructure to meet the requirements of the shift. Contact us today to learn more!

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”