Today, November 4th, 2021, the Department of Defense announced CMMC 2.0, a new version of the CMMC model with several significant changes to the original program. Although CMMC 2.0 maintains the goal of protecting the Department of Defense’s FCI and CUI, here’s a first cut of the enhancements and changes:
- The new CMMC 2.0 framework will have a public comment period. Version 2.0 is on hold until the program has been reviewed and fully approved through the rule-making process in Part 32 of the Code of Federal Regulations (C.F.R.) and the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R.
- The rulemaking process can take anywhere between 9-24 months
Model / Structure
- CMMC 2.0 removes unique practices and all maturity processes from the CMMC Model.
- The DoD is changing CMMC into a streamlined model more aligned with the widely accepted cybersecurity standards established by the National Institute of Standards and Technology (NIST).
The CMMC Levels
- Compliance with CMMC 2.0 Level 1 can be verified through self-attestation.
- CMMC 2.0 is a streamlined model with 3 Levels. Levels 2 and 4 have been removed.
- CMMC 2.0 Level 2 is now the equivalent of NIST 800-171.
- The additional 20 CMMC Level 3 controls added onto NIST 800-171 will be removed.
- CMMC 2.0 Level 2 will have two categories. In some cases, for contractors dealing with non-prioritized data at Level 2, self-attestation will be permitted. However, in other situations, Level 2 will require a third-party assessment to enforce compliance.
- CMMC Level 3 replaces the old Level 5 requirements. Level 3 is under development but will be based on a subset of NIST 800-172.
Oversight and Responsibility
- The CMMC 2.0 announcement does not reference the CMMC Accreditation Body.
- This article indicates the CMMC-AB will be replaced.
- If so, this change will not come as a surprise given the significant delays, poor communication, conflicts of interest, and public relations issues.
- The Accreditation Body’s potential elimination brings up the question of existing CMMC credentials for registered individuals and organizations. Are those credentials still valid? If not, will the costs be refunded? Much is still unknown.
DoD Contract Requirements
- CMMC 2.0 will not be in DoD contracts until there is a final ruling.
- To reduce assessment costs, all organizations at Level 1 (Foundational) and a subset of organizations at Level 2 (Advanced) will be allowed to prove compliance through self-assessments.
- Assessments will be more reliable with higher accountability to increase the oversight of professional and ethical standards of third-party assessors.
- From the DoD: “Under CMMC 2.0, the Department intends to allow a limited waiver process to exclude CMMC requirements from acquisitions for select mission-critical requirements. Waiver requests will require senior DoD leadership approval and will have a limited duration. The specifics of the waiver requirements will be implemented as part of the rulemaking process.”
- From the DoD: “The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period. Additional information will be provided as it becomes available. ”
The changes incorporated into CMMC 2.0 are in direct response to feedback from the DoD’s Defense Industrial Base members calling on the DoD to reduce the cost of CMMC compliance, increase trust in the CMMC assessment ecosystem, and align the CMMC model with other federal requirements and standards. To learn more about how the CMMC 2.0 changes will impact your organization, contact us below.