Most of us in CMMC consulting VA Beach sector have been actively watching the transformation of the Cybersecurity Maturity Model Certification (CMMC) since its commencement in 2020.
The Department of Defense issued CMMC 2.0 on November 4th, 2021, incorporating various upgrades and adjustments to the original framework.
CMMC 1.0 vs. CMMC 2.0: A Comparison of Key Updates
There are only three CMMC levels: The original CMMC framework’s Levels 2 and 4 have been removed, leaving only three current CMMC Levels. These Levels are described in full below.
Level 1: A yearly self-assessment and corporate leadership validation are now required. The 17 essential cyber hygiene habits do not need to be changed.
Level 2: CMMC’s “old” Level 3 is now Level 2. The initial framework’s Level 3 criteria were reduced by 20 controls, leaving subcontractors with only 110 rules to implement from NIST 800-171. The Department of Defense will select “prioritized purchases” that must be assessed against an impartial third party’s new Level 2 standards. All other organizations will merely need to self-evaluate and have corporate leadership approval.
Level 3: This Level will take the place of the previous framework’s CMMC Levels 4 and 5. While the specifics are still being worked out, it is envisaged that this level would incorporate NIST SP 800-172 regulations, and the administration will conduct inspections.
Changes in CMMC 2.0 Explained
Aside from the modifications to the Levels, there are two other changes that DoD contractors should be aware of.
Update #1
Assessment Qualifications are the first change.
Level 1: Self-Assessments
One of the most common concerns from DoD subcontractors was that, even at CMMC Level 1, CMMC 1.0 compelled them to undertake third-party accreditation. This prerequisite is no longer necessary with CMMC cybersecurity 2.0. Contractors can instead conduct their self-assessments and will only be obliged to certify that they conform with CMMC 2.0 Level 1 once a year.
Level 2: Third-Party Evaluations and Self-Evaluations
The evaluation criteria for CMMC Level 2 are split into two parts. Every three years, only DoD subcontractors working on “prioritized purchases” will be required to undergo a third-party review. All other subcontractors are allowed to do a self-assessment and certify that they comply with CMMC 2.0 Level 2 on a yearly basis.
The Department of Defense has yet to announce how procurement would be prioritized.
Level 3: Inspections Conducted by the Government
Only the most critical and high-risk DoD projects are subject to CMMC Level 3. As a result, DoD contractors within this group will be subjected to a government-led evaluation every three years.
Update #2
Allows for the creation of a plan of action and milestones (POA&M)
Another major complaint from DoD subcontractors was that they were needed to comply with every single practice and procedure to get their requisite Level of certification. DoD subcontractors can produce a Plan of Action and Milestones, often known as a POA&M, for those practices and processes that have not yet been satisfied under CMMC 2.0.