CMMC 2.0 Eases Compliance Burden for DoD Contractors and Subcontractors
In September 2020, the Department of Defense (DoD) published version 1.0 of the Cybersecurity Maturity Model Certification (CMMC), which was designed to protect sensitive unclassified information that the DoD shares with its contractors and subcontractors. CMMC 1.0 became effective on November 30, 2020, which marked the beginning of a five-year phase-in period.
In November 2021, the DoD announced CMMC 2.0, which incorporates extensive feedback from public comments on CMMC 1.0 and significantly streamlines and refines CMMC requirements relative to version 1.0. The new CMMC framework is expected to significantly ease the burden of CMMC compliance for most DoD contractors and subcontractors.
In this blog post, we’ll provide a high-level view of the CMMC 2.0 changes and how they may impact your organization.
What’s Changing With CMMC 2.0?
In broad strokes, CMMC 2.0 streamlines and simplifies CMMC requirements. Key changes include:
- Reduces number of maturity levels from five to three: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).
- No longer requires every contractor to obtain third-party certification. Allows Level 1 companies and a subset of Level 2 companies to demonstrate compliance through self-assessments.
- Aligns certification requirements with widely accepted National Institute of Standards and Technology (NIST) cybersecurity standards and eliminates all maturity processes and CMMC-unique practice requirements.
- Aligns Level 3 requirements with the NIST SP 800-172 standard.
- Aligns Level 2 requirements with the NIST SP 800-171 standard.
- Aligns Level 1 requirements with a subset of the NIST SP 800-171 standard.
- Reduces number of practice requirements for all levels except the most basic (Level 1).
- Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification.
- Allows waivers to CMMC requirements under certain limited circumstances.
Here’s a summary of the key features of CMMC 2.0 and how they compare with 1.0:
Key Features of CMMC 2.0
Source: CMMC Website – https://www.acq.osd.mil/cmmc/model.html
What Are the Requirements for Each CMMC 2.0 Maturity Level?
Here’s a summary of the key requirements for each CMMC 2.0 maturity level:
Level 1 contractors must implement the 17 controls from NIST SP 800-171 as stated in Federal Acquisition Regulation (FAR) 52.204-21. They must annually self-attest to CMMC 2.0 compliance with an affirmation from Defense Industrial Base (DIB) company leadership. Self-attestations can be submitted through the Supplier Performance Risk System (SPRS).
Level 2 requirements are dependent on priority levels, which vary by contract and type of controlled unclassified information handled by the contractor.
- Non-priority: Contractors must implement the 110 controls in NIST SP 800-171 and submit an annual self-assessment through SPRS.
- Priority: Contractors must implement the 110 controls in NIST SP 800-171 and conduct a triennial (i.e., every three years) independent assessment performed by an authorized and accredited CMMC Third Party Assessment Organization (C3PAO).
Level 3 requirements are still under development by the DoD, but in the current iteration, contractors must implement 110+ controls based on NIST SP 800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171). Contractors must conduct a triennial (i.e., every three years) assessment led by the government.
When Will CMMC 2.0 Become Effective?
The CMMC 2.0 changes will be implemented through the rulemaking process, which involves a public comment period that is slated to last until at least August 2022. CMMC 2.0 compliance will not become a requirement for DoD contracts until the rulemaking process has been completed.
Does This Impact CMMC 1.0 Requirements?
The DoD will not include CMMC 1.0 or 2.0 requirements in any contract prior to completion of the CMMC 2.0 rulemaking process. Once the new CMMC framework has been codified through the rulemaking process, the DoD will begin including CMMC 2.0 requirements in its contracts.
What Should We Be Doing Now To Prepare for CMMC 2.0?
During the rulemaking process, as CMMC 2.0 continues to evolve, it is important to focus on 800-171 compliance.
If you have an indication that you will need to be compliant with CMMC 2.0 Level 3, we recommend focusing on NIST SP 800-172 compliance as these enhanced controls will be required for Level 3 contracts.
You can find additional information on the topics covered in this blog post on the DoD’s website describing CMMC 2.0 changes.
We Can Help
Tevora holds the ISO 17020 as accredited by A2LA R335 Specific Requirements – Cybersecurity Inspection Body Program to implement the security requirements of NIST SP 800-171, which is the foundation of CMMC 2.0. We are well versed in providing total customer care for all aspects of meeting your federal compliance needs.
If you have questions about CMMC 2.0, or would like help preparing your organization to comply with the new CMMC framework, just give us a call at (833) 292-1609 or email us at firstname.lastname@example.org.
Founded in 2003, Tevora is a specialized management consultancy focused on cybersecurity, risk and compliance services. Based in Lake Forest, CA, our experienced consultants are devoted to supporting the CISO in protecting their organization’s digital assets. We make it our responsibility to ensure the CISO has the tools and guidance they need to build their departments, so they can prevent and respond to daily threats.
Our expert advisors take the time to learn about each organization’s unique pressures and challenges, so we can help identify and execute the best solutions for each case. We take a hands-on approach to each new partnership, and –year after year –apply our cumulative learnings to continually strengthen the company’s digital defenses.