On November 4, 2021, CMMC 2.0 was launched after a months-long internal review by the Department of Defence (DoD).
Why the change?
As we mentioned in a previous post, the DoD implemented these changes as a response to feedback received on CMMC 1.0. They wanted to reduce costs and red tape—particularly for small businesses—increase trust in the CMMC assessment ecosystem, and clarify and align cybersecurity requirements to other federal requirements and commonly accepted standards.
In this post, we want to take a closer look at how CMMC 2.0 is different from CMMC 1.0.
From 5 to 3 Maturity Levels
Let’s start with the biggest change we’ve seen between CMMC 1.0 and 2.0, the streamlining of the number of maturity levels from five to three.
CMMC 1.0
In CMMC 1.0, companies needed to meet at least one of five maturity levels in order to become and stay a prime contractor:
- Level 1 – Processes: Performed, Practices: Basic Cyber Hygiene (recertify every three years)
- Level 2 – Processes: Documented, Practices: Intermediate Cyber Hygiene (recertify every three years)
- Level 3 – Processes: Managed, Practices: Good Cyber Hygiene (recertify every two years)
- Level 4 – Processes: Reviewed, Practices: Proactive (recertify every year)
- Level 5 – Processes: Optimizing, Practices: Advanced/Proactive (recertify every year)
CMMC 2.0
In CMMC 2.0, however, there are only three maturity levels, as it eliminates CMMC 1.0’s Levels 2 and 4. According to the DoD, these were only ever “developed as transition levels and never intended to be assessed requirements.” The biggest difference is that CMMC 2.0’s three levels directly correlate to other federal requirements already in place:
- Level 1 – Foundational is aligned with FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems (for companies with FCI only).
- Level 2 – Advanced is aligned with NIST SP 800-171: Protecting CUI in Nonfederal Systems, and also requires compliance with FAR 52.204-21 (for companies with CUI).
- Level 3 – Expert is aligned with NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information, and also requires compliance with FAR 52.204-21 and NIST SP 800-171 (for the highest priority programs with CUI).
In short, while CMMC 1.0 included requirements not found in other publications, CMMC 2.0 relies entirely on security practices prescribed in other publications.
Assessment Requirements
Whereas CMMC 1.0 required all DoD contractors to undergo third-party assessments for CMMC compliance, CMMC 2.0 eases those assessment requirements for companies not handling information related to prioritized acquisitions.
Here’s how assessments will work based on CMMC 2.0 Levels:
- Level 1: The majority of contractors associated with Level 1—and a subset of Level 2 programs—will be allowed to perform annual DIB self-assessments.
- Level 2: While contractors with non-prioritized acquisitions will need to complete and report a CMMC Level 2 self-assessment and submit senior official affirmations to SPRS, those with prioritized acquisitions will be responsible for obtaining triennial third-party assessments and certification prior to a contract being awarded.
- Level 3: All Level 3 contractors will require triennial assessments conducted by government officials.
When Will This Take Effect?
The DOD will implement these changes through a forthcoming rulemaking process, which they anticipate to take between nine and 24 months. This means that CMMC 2.0 will not be a contract requirement until after the rulemaking process is complete.
Ready to implement all of these requirements and ensure your security systems are up to date? We’re here to help. Send us a message today to learn how we can provide the experienced, knowledgeable CMMC 2.0 support you need.