12.03.21

CMMC Just Changed Drastically – Here’s What We Know About CMMC 2.0

The Department of Defense just announced sweeping changes to their strategic initiative, CMMC (Cybersecurity Maturity Model Certification).

After an assessment of over 850 public comments, the department’s leadership determined that CMMC would evolve into what they’re referring to as CMMC 2.0

The new direction is actually great news for government contractors because they’re making CMMC requirements and assessments much simpler, while also creating more flexibility and reliable oversight.

Key Call Outs

  • Instead of the previous 5 levels, CMMC 2.0 has 3 levels
  • CMMC 2.0 will use existing NIST standards
  • Instead of a maximum of 171 practices, there’s a maximum of 110, all based on NIST SP 800-172
  • Depending on the level, assessments are much simpler. Level 1 contracts can simply complete annual self assessments, while level two will require third-party assessments on a triennial basis, and level 3 will require triennial government-led assessments

Benefits of This New Approach

According to an article by the Office of the Undersecretary of Defense, this approach is beneficial in several key ways:

Streamlined Model

  • Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels
  • Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards

Reliable Assessments

  • Reduced assessment costs: Allows all companies at Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments
  • Higher accountability: Increases oversight of professional and ethical standards of third-party assessors

Flexible Implementation

  • Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification
  • Added flexibility and speed: Allows waivers to CMMC requirements under certain limited circumstances

Changes to CMMC Timeline

These changes are currently proposed, but not final. Companies will be required to comply once rulemaking is in place. According to the Office of the Undersecretary of Defense:

The Department intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.

For more information on CMMC, subscribe to our blog for future updates. Or check out this page