On November 4, 2021, the Department of Defense (DoD) announced several changes to the Cybersecurity Maturity Model Certification (CMMC) program, now referred to as CMMC 1.0. CMMC 2.0, the updated version of the framework, is a culmination of the DoD’s months-long internal review of CMMC 1.0’s implementation and significant changes to the program’s strategic direction.
While CMMC 2.0 remains focused on safeguarding sensitive national security information, the revamp enhances the original program by:
-
Simplifying CMMC standards and further clarifying cybersecurity regulatory, policy, and contracting requirements
-
Focusing the most critical cybersecurity standards and assessment requirements on organizations supporting the highest-priority programs
-
Increasing DoD oversight on the professional and ethical standards of third-party assessors
In this article, we’ll go over the major changes to the CMMC program and how these modifications will affect DoD contractors and subcontractors.
Key features of CMMC 2.0
CMMC 2.0 abandons many of the controversial elements of CMMC 1.0, including the maturity processes, prohibitions on plans of action and milestones (POAMs), and, in some cases, even the need for third-party certifications. The following changes, in particular, aim to streamline the model, reduce assessment costs, and allow more flexible implementation.
Fewer compliance levels
CMMC 1.0 featured five increasingly progressive compliance levels, with Levels 2 and 4 intended as transition stages. The new model will now have just three levels, namely:
-
Foundational/Level 1 – This level remains mostly unchanged, requiring companies to comply with 17 basic cybersecurity practices to protect federal contract information (FCI). Except now, the DoD will allow companies to perform annual self-assessments for compliance rather than getting certification from CMMC Third Party Assessment Organizations (C3PAOs).
-
Advanced/Level 2 – Similar to Level 3 of CMMC 1.0, the new Level 2 mirrors the National Institute of Standards and Technology Special Publication or NIST SP 800-171 standards, requiring companies to comply with 110 cybersecurity practices. For contracts that involve controlled unclassified information (CUI), the DoD will require contractors to obtain triennial certifications from C3PAOs. Otherwise, annual self-assessments will suffice.
-
Expert/Level 3 – Largely equating to Levels 4 and 5 of CMMC 1.0, the new Level 3 is based on a subset of NIST SP 800-172 requirements. Expert/Level 3 certification requires triennial assessments conducted by a government-led assessment team, not a C3PAO.
No maturity processes
Cybersecurity practices can be performed more consistently and effectively when these are constantly documented, managed, reviewed, and optimized. That is why the maturity processes of CMMC 1.0 measured the degree to which an organization had embedded its practices into its culture and operations. This provided the DoD with some level of confidence that contractors can protect sensitive information, not just during an audit but at all times.
CMMC 2.0 does away with maturity processes entirely. This is because most of the requirements were already included in the NIST SP 800-171 standard, and were thus redundant. Complying with maturity process requirements would only result in contractors wasting time on the paperwork side of cybersecurity, and not focusing on actually securing national intellectual property.
No CMMC-unique practices
CMMC 1.0 differed from other cybersecurity models in that its standards consisted of certain requirements from NIST SP 800-171, plus 20 unique practices intended to make contractors more security conscious.
CMMC 2.0 eliminates all CMMC-unique security practices, meaning the new framework will rely entirely on practices prescribed in other publications, particularly NIST SP 800-171 and NIST SP 800-172.
Plans of action and milestones and waivers
CMMC 1.0 also differed from other cybersecurity models in that it required contractors to implement all of its security practices to be considered compliant. By contrast, Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 and NIST SP 800-171 deemed companies compliant if they developed a plan of action to correct any deficiencies or implement any missing controls in their cybersecurity program.
The DoD seeks to adopt a more flexible approach under CMMC 2.0 by allowing contractors to win certain contracts while still working to meet compliance requirements. So although companies must still achieve a baseline number of requirements before being awarded a contract, the DoD will allow them to address the remaining requirements in a POAM with a clearly defined timeline.
In addition, CMMC 2.0 will allow waiver requests of CMMC requirements for select time- or mission-critical acquisitions. The specifics of the waiver requirements are yet to be finalized, but the DoD announced that these waivers will have a limited duration and will require prior approval from senior DoD leadership.
Implementation timeline for CMMC 2.0
The changes outlined above will be implemented through the rulemaking process — the formal act of creating and enacting federal regulations — which will include more opportunities for public comment. The DoD anticipates the process to take anywhere from 9 to 24 months, which means it will be some time before companies see CMMC 2.0 as a contractual obligation.
In the meantime, DoD contractors and subcontractors should continue to monitor and enhance their cybersecurity posture as they prepare for the implementation of CMMC 2.0.
With expert guidance and reliable IT services, Charles IT makes CMMC compliance achievable for Connecticut businesses. Get in touch with us today to learn more!
