CMMC 2.0 - Revamping of the DOD Compliance Program
The Department of Defense has introduced a revision to the original comprehensive CMMC program framework designed to protect the defense industrial base from cyberattacks, which was initially released in January 2020. The new CMMC 2.0 cybersecurity compliance program changes were enacted in response to feedback collected from contractors concerning the cost and complexity of the requirements. The new CMMC 2.0 allows for more self-assessment, reduces the compliance tiers from 5 to 3 distinct levels eliminating previous levels 2 and 4, and minimizes the role of third-party assessment. With its streamlined requirements, CMMC 2.0:
Simplifies the process for small and medium-sized businesses
Prioritizes the protection of DoD information
Reinforces cooperation between the DoD and industry in addressing evolving cyber threats
Contractors will be required to obtain a third-party CMMC assessment for acquisitions requiring Level 2 ('Advanced') cybersecurity standards. The CMMC Accreditation Body (CMMC-AB) will maintain its role in accrediting assessment organizations and government personnel will conduct assessments of contractors of higher-level cybersecurity requirements. The DOD website launched to explain CMMC 2.0,website also notes that the DOD is charged with approving CMMC-AB conflicts of interest related policies. t
CMMC 2.0 Level 1 will include the 17 controls of CMMC 1.0 Level 1, a limited subset of NIST 800-171 for basic cyber hygiene. This will apply to organizations handling ONLY Federal Contract Information (FCI). CMMC 2.0 Level 1 will be achievable with a self-assessment.
CMMC 2.0 Level 2 includes the 110 controls of NIST 800-171. Level 2 will be split based on the criticality of the information held by the organization. For organizations deemed to hold CUI identified as Critical National Security Information a third-party assessment will be required every three years. For select organizations, an annual self-assessment against these controls will be sufficient.
CMMC 2.0 Level 3 is still under development, but lists 110+ practices based on NIST 800-172. Assessments at level 3 will be completed by the government and not C3PAOs.
The DoD has specified that while the publication of CMMC 2.0 materials can be understood to reflect strategic intent, there will be no contractual requirements for CMMC 2.0 until formal rulemaking is complete. The DOD intends to allow contracts to be awarded with Plan of Actions and Milestones (POAM) in place to complete CMMC requirements. There will be some mandatory controls needed for award, with additional controls to be addressed with a clearly identified timeline.
Have questions or need assistance getting CMMC certified?
Visit the KCS CMMC page and connect with us to learn how to become CMMC compliant before its launch. Our team is available to review your current information systems and deliver a customized road map to certification to ensure your organization is operating at basic hygiene and above standards.