01.08.22

CMMC 2.0 Tiers Explained

Since its reveal in 2019, there has been plenty of discussion surrounding CMMC and the game-changing implications it brings to light. Roughly two years later, the DOD unloaded yet another bombshell when announcing a new and improved version of the standard. CMMC 2.0 introduced significant changes to the original framework, most notably, the steps necessary to achieve certification.

Upon its initial unveiling, CMMC was primarily defined by a tiered model consisting of five maturity levels, each with its own set of guidelines. Version 2.0 scales back the requirements by trimming the number of certification levels down to three. The second and third tiers have been eliminated from the framework entirely. Furthermore, the remaining tiers have been uniquely repurposed with new labels   and modified provisions.

CMMC Maturity Levels

The revamped CMMC tiered model is deeper than level reductions and crafty naming conventions. Here’s a detailed explanation of the changes:

Level 1 – Foundational: The most notable change CMMC 2.0 brings to the forefront is removal of the mandate that calls for contractors to pass third-party audits at each level in order to obtain certification. Per the updates, Level 1 will now require self-assessments, to be performed on an annual basis, in addition to affirmation that the contractor has uploaded the results to the Supplier Performance Risk System (SPRS), the web-based portal the DOD uses to identify, monitor, and analyze the outcomes of self-reported assessments.

Level 1 also requires the implementation of 17 security measures adopted from NIST SP 800-171. These standards are considered basic requisites of protecting DIB IT systems.

Level 2 – Advanced: Prior to CMMC 2.0, level 2 was largely viewed as a means of transitioning to the the next maturity level. As such, level 3 is now essentially level 2. This tier requires contractors to implement 110 security measures from NIST SP 800-171 and follow the level 1 mandate of submitting annual self-assessment results to the SPRS. However, companies that handle critical government data pertaining to national security will be required to undergo a C3PAO audit every three years.

Level 3 – Expert: Absorption into level 2 has rendered the third CMMC tier a work in progress. The final requirements will be announced at a later date. What has been established is the mandatory adoption of roughly 110 NIST SP 800-171 controls as well as additional standards from various other compliance programs. More importantly, level 3 assessments will be performed by the government, rather than a C3PAO.

As the most demanding tier, Level 3 places an enhanced focus on planning and documentation. Contractors will be required to produce a plan that demonstrates their understanding of the necessary security controls. This may include details pertaining to data handling procedures, employee training programs, risk mitigation, and backup schedules among other details.

CMMC Level Exceptions

While the tiered system remains a vital cog in the CMMC certification machine, there are exceptions to the established rules. For instance, select contractors may be eligible to obtain a waiver that allows them to forgo certification requirements at any level. These waivers must be approved by DOD management and are valid for a predetermined length of time.

CMMC 2.0 will also grant companies a sort of grace period to certify at their desired level. This extension is limited to scenarios where undergoing the assessment process could potentially compromise mission-critical operations.

Get on the Level

The DOD has made a concerted effort to streamline the CMMC compliance program. With that said, the path to certification will likely be a time-consuming process that demands the utmost preparation and attention to detail. Understanding how the level requirements impact your organization is a crucial step along the potentially long road ahead.