CMMC 2.0: Understanding the New Framework

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity assessment program developed by the US Department of Defense (DoD). It is aimed at measuring the maturity of a defense contractor’s cybersecurity processes toward demonstrating compliance with standards for protecting federal contract information (FCI) and controlled unclassified information (CUI). 

Its first iteration, CMMC 1.0, was introduced back in January 2020. This version has five maturity levels, with cybersecurity standards becoming more stringent the higher the level. The only certifiable levels in CMMC 1.0, however, were Levels 1, 3, and 5, which created some confusion about what purpose Levels 2 and 4 served. CMMC 1.0 also retained the original cyber framework inherited from Defense Federal Acquisition Regulation Supplement (DFARS) 7012. That is, CMMC 1.0 kept the 110 National Institute of Standards and Technology (NIST) 800-171 controls for CUI, and had 20 more controls at Level 3.

Many Defense Industrial Base (DIB) contractors found CMMC 1.0 to be too complex, burdensome, and resource-intensive. They also said that the program’s design lacked technical scoping and proper program-based definition for CUI. In response, the DoD reevaluated the CMMC framework in March 2021 and came up with CMMC 2.0 in the hopes of simplifying compliance for defense contractors and their suppliers.

In this blog post, we will discuss the new version of DoD’s CMMC framework and how you can get started with your compliance journey.

What is new in CMMC 2.0?

According to the DoD, CMMC 2.0 will reduce costs for small and medium-sized businesses, set priorities for protecting DoD information, and clarify cybersecurity regulatory and policy requirements. All of these will be achieved via the implementation of the following changes: 

1. Simplified maturity levels

Instead of five maturity levels, CMMC 2.0 only has three. Each CMMC 2.0 level is on par with independently established standards like NIST and Federal Acquisition Regulation (FAR) requirements. The new DoD CMMC framework will also reduce dependence on third-party assessors while also eliminating CMMC-unique practices. Let’s take a closer look at each level:

• Level 1 (Foundational)
  Similar to CMMC 1.0 Level 1, CMMC 2.0 Level 1 requires annual self-assessments, focuses on the protection of FCI, and is based on the 17 controls found in FAR 52.204-21.
• Level 2 (Advanced)
  CMMC 2.0 Level 2 comparable to Level 3 of CMMC 1.0. This level aims to protect CUI, which requires a higher level of security than FCI. It aligns with the 14 levels and 110 security controls developed by the NIST.
  
  CMMC 2.0 Level 2 is divided into two categories: prioritized acquisitions and non-prioritized acquisitions. For instance, CUI related to weapons systems falls under prioritized acquisitions, while CUI pertaining to military uniforms is covered by non-prioritized acquisitions.
  
  The assessment requirements of these two categories differ significantly. While prioritized acquisitions will require assessments three times a year from a certified third-party assessing organization (C3PAO), non-prioritized acquisitions only require an annual self-assessment.
• Level 3 (Expert)
  Level 3 in CMMC 2.0 is designed to replace Levels 4 and 5 of the previous model and is focused on reducing the risk of advanced persistent threats. It requires government-led assessments every three years and compliance with the NIST SP 800-172 controls on top of the 110 controls required for Level 2 certification.

2. Inclusion of plan of action and milestones (POAMs) and waivers

With CMMC 2.0, the DoD will allow certain organizations handling sensitive unclassified DoD information to meet compliance requirements through POAMs through POAMs, which allow contractors or subcontractors to receive contracts while they work toward full compliance.

Those seeking to meet CMMC 2.0 requirements through a POAM, however, should achieve a minimum threshold score and complete POAMs within 180 days of being awarded a contract. If they fail to implement all the controls within that period, their contract may be terminated.

Additionally, waivers, which allow a contractor or subcontractor to forgo certain CMMC requirements, will also be introduced in CMMC 2.0. These waivers are strictly time-bound and may only be approved by senior DoD personnel.

3. Less costly assessments

Under CMMC 2.0, the DoD will allow all organizations at Level 1 to conduct annual self-assessments. Those at Level 2 can also do so, but only after they’ve been approved by the DIB. This relieves organizations that handle only FCI and not CUI from the burdens and costs associated with third-party assessments of cybersecurity standards implementation.

When will CMMC 2.0 be required?

The DoD predicts the CMMC 2.0 will be finalized nine months to two years from now. In the meantime, the department is suspending all mandatory CMMC certification and initial implementation efforts. The DoD will also not include CMMC requirements in any DoD contract until further notice. The DoD is currently exploring the possibility of incentivizing contractors to voluntarily attain their required CMMC 1.0 level prior to completion of CMMC 2.0.

Finally, the DoD highly encourages contractors to continue enhancing their cybersecurity posture. In fact, the department has intensified its enforcement of NIST SP 800-171, which CMMC 2.0 Level 2 will mirror. 

How can you get started with CMMC 2.0 compliance?

Complying with CMMC 2.0 is not an easy task. Fortunately, a reliable managed IT services provider like Charles IT can help! We will help you achieve full compliance with our three-step process:

1. Gap assessment – We will identify vulnerabilities in your business’s cybersecurity posture and recommend ways to strengthen them.
2. CMMC services enlistment – We offer services like backup and disaster recovery, security awareness training, external vulnerability scanning, endpoint encryption, dark web monitoring, and security information & event management.
3. CMMC Audit Assistance – We will guide you through the auditing process by recommending CMMC auditors and then acting on your behalf to produce the evidence needed to prove your cybersecurity posture.

Drop us a line today to get started with your CMMC 2.0 compliance journey!