Last week, the U.S. Department of Defense came out with updates to CMMC the framework. The aim of the updates, labeled "CMMC 2.0", is to provide strategic direction following an internal program assessment by the Department leaders. The revision still maintains the compliance's goal of safeguarding sensitive information, while simplifying the standards it follows.
A streamlined model is one of the main goals of CMMC 2.0. The revamped model aligns with the widely accepted NIST cybersecurity standards. It also streamlines the compliance from five to three levels:
Level One (Foundational): Applies to most Defense Industrial Base (DIB) companies and requires compliance with 17 basic cyber hygiene practices.
Level Two (Advanced): Applies to DIB companies who will receive controlled unclassified information (CUI), requires 110 practices aligned with requirements under NIST SP 800-171.
Level Three (Expert): Applies to top-tier DoD projects with the most sensitive and high-risk data. Requires 110+ practices based on NIST SP 800-171.
Updated Certification Method
Many of the complaints of the original CMMC model were due to the requirement of obtaining a third-party certification, even at the lowest level of compliance. Now, with reliable assessments being one of the main changes, some CMMC compliant organizations are able to self-certify. Companies at Level 1 (Foundational) and a subset of companies at Level 2 (Advanced) can now demonstrate compliance through self-assessments. However, if an organization in Level 2 compliance is dealing with critical national security information, they will be subject to triennial third-party assessments. All Level 3 compliant organizations are subject to triennial government-led assessments.
Flexible implementation is another major change with CMMC 2.0. This will allow companies to make Plans of Action & Milestones (POA&Ms), under certain circumstances, to achieve compliance. POA&Ms are a common practice in becoming compliant with DFARS, NIST CSF, and more compliances.
CMMC 2.0 Rollout Timetable
The new changes in CMMC 2.0 will be rolled out through the rulemaking process. Once the forthcoming rules go into effect, the necessary companies will be required to comply. As of now, there is no official date of rollout. The DoD intends to suspend the current CMMC Piloting efforts and will not approve inclusion of CMMC requirements in any DoD solicitation. In the meantime, the Department encourages companies to continue enhancing their cyber hygiene.
Charles IT is Connecticut's compliance expert! If you and your organization need help with CMMC, feel free to reach out to us today!