CMMC 2.0: An overview of the upcoming changes

On November 4, 2021, the Department of Defense (DoD) announced a significant shift in the Cybersecurity Maturity Model Certification (CMMC) program. To help you understand why this change was made and how it will affect your business, let’s review the history of the CMMC program. 

Why was the CMMC 1.0 framework created? 

The CMMC 1.0 framework was created to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with, and handled by DoD contractors, and subcontractors on non-federal contractor information systems.  

The CMMC 1.0 components included: 

  • Five progressively advanced levels of cybersecurity standards. 
  • DIB contractors were required to undergo a certification process to demonstrate compliance with the CMMC cybersecurity standards at a given level. 

The Department of Defense initiated an internal assessment of CMMC 1.0. 

In response to CMMC 1.0, the DoD received over 850 public comments from an internal assessment, in March 2021. Industry leaders, Congress, and stakeholders provided valuable feedback on three key areas: 

  • Reducing costs for small businesses 
  • Increasing trust in the CMMC assessment ecosystem 
  • Clarifying and aligning cybersecurity requirements to other federal requirements, and commonly accepted standards 

What were the new modifications made to CMMC 2.0? 

  • The DoD instituted a variety of modifications to boost security and to eliminate irrelevant processes in the 2.0 release. Below are some of the key changes: Instead of five levels, going forward there will only be three. Levels 2 and 4 have been removed. The remaining three levels will be named, one, two and three (1-3). 
  • One is the foundational level and is the same as CMMC 1.0 Level 1. 
  • Two is the advanced level and is the equivalent to the CMMC 1.0 Level 3. 
  • Three is the expert level and corresponds to CMMC 1.0 Level 5. 
  • CMMC-unique practices and all maturity processes from all levels will be removed. 
  • CMCC Level 1 (Foundational) 
  • Defense Industrial Base (DIB) company leadership will approve annual self-assessments with an annual affirmation. 
  • Split up CMMC Level 2 (Advanced) assessment requirements into two components: 
  • An independent third-party assessment will be required for prioritized acquisitions, involving CUI. 
  • An annual self-assessment and annual company affirmation will be required for non-prioritized acquisitions, involving Controlled Unclassified Information (CUI). 
  • CMMC Level 3 (Expert) 
  • Requires Government-led assessments. 
  • A time-bound and enforceable Plan of Action and Milestone process will be developed. 
  • A selective, time-bound waiver process will be created, if needed and approved. 

How does your business benefit from using the CMMC 2.0 framework? 

The new and improved CMMC 2.0 framework maintains all the original CMMC 1.0 cybersecurity safeguards, while providing these additional enhancements

  • Simplifying the CMMC standard and providing additional clarity on cybersecurity, regulatory, policy, and contracting requirements 
  • Focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs. 
  • Increasing Department oversight of professional and ethical standards in the assessment ecosystems. 

The 2.0 enhancements provide  intrinsic benefits for your business by:   

  • Setting clear guidelines and accountability for companies implementing cybersecurity standards 
  • Minimizing barriers to compliance and increasing overall ease of execution with DoD requirements  
  • Helping instill a collaborative culture of cybersecurity and cyber resilience in companies’ industry wide 

If you are looking to learn more about CMMC 2.0, click here