In 2021, the US Department of Defense (DoD) updated the Cybersecurity Maturity Model Certification (CMMC) framework. The revamp makes the CMMC system more streamlined and flexible, allowing defense contractors and their suppliers to comply with the DoD’s cybersecurity standards.
Related article: CMMC 2.0: What’s In the New Version? |
Here are some important details about CMMC 2.0 that contractors should know:
CMMC 1.0 is intended to safeguard federal contract information (FCI) and controlled unclassified information (CUI) that DoD contractors and subcontractors collect and manage on non-federal IT systems. This framework has five maturity levels, with the cybersecurity standards growing more stringent the higher the level. DoD contracts were categorized by their required CMMC level, limiting them to the contractors that achieved the necessary certification level.
The DoD began an internal evaluation of CMMC 1.0 implementation in March 2021, based on over 850 public comments submitted in response to the interim Defense Federal Acquisition Regulation Supplement (DFARS) rule. This programmatic cybersecurity and acquisition review produced “CMMC 2.0,” which updates the program structure and requirements to align with the DoD's C5ISR program.
CMMC 2.0 closely aligns CMMC with other federal cybersecurity programs, such as the Department’s Cybersecurity Acquisition (CYBASE) and Assured Compliance Assessment Solution (ACAS), to increase the effectiveness of CMMC as a government-wide program.
CMMC 2.0 will be implemented in three phases: CMMC 1.5 (with CMMC 2.0 changes), CMMC 1.2 (existing CMMC 1.0), and CMMC 2.0 (new program). The CMMC 1.5 transition is expected to be completed by December 2023, while CMMC 1.2 and CMMC 2.0 will be implemented by December 2028.
Like CMMC 1.0, CMMC 2.0 is based on the National Institute of Standards and Technology’s (NIST) cybersecurity framework. This framework defines its five main functional domains: identity, protection, detection, response, and recovery.
To eliminate the complicated overlaps of CMMC 1.0’s five tiers, CMMC 2.0 was pared down to three tiers. On CMMC 2.0, the demarcations between tiers are more obvious and less subject to subjective assessment.
Below are the key updates:
Learn more about CMMC 2.0 compliance from Charles IT with our downloadable CMMC 2.0 Guide. |
For CMMC 2.0, the DoD will now allow certain acquisitions to fulfill requirements via POAMs instead of a literal compliance process. Contractors with POAMs will be able to receive partial contract rewards while they make progress toward full compliance. However, the DoD will not accept a POAM for “highly weighted” controls.
Furthermore, a firm attempting to comply with CMMC 2.0 standards through a POAM must achieve a certain minimum score. Finally, eligible contractors must finish POAMs within 180 days of contract completion.
Gear up your organization for CMMC 2.0 compliance and easily bag those DoD contracts. Charles IT will help you prepare and manage your infrastructure to meet the requirements of the shift. Contact us today to learn more!