December 14, 2021
The U.S. Department of Defense (DoD) has recently completed its internal review of the Cybersecurity Maturity Model Certification (CMMC). Several significant changes have been made and all DoD contractors should be aware of them.
What’s the difference between CMMC and CMMC “2.0”? Today we’re taking a look.
What is CMMC 2.0?
The DoD’s Cybersecurity Maturity Model Certification 2.0 (CMMC) is the new standard for DoD contracts that will take the place of NIST 800-171 compliance for Controlled Unclassified Information (CUI). CMMC 2.0 has 3 levels. Level 1 has 17 practices, allows self-assessments and is primarily targeted at protecting Federal Contract Information (FCI). Level 2 has 110 practices, may or may not require a third-party assessment and is targeted at protecting CUI. Level 3 is based on NIST 800-172 and will only be required for the highest priority, most critical defense programs.
As of right now, CMMC 2.0 will mirror NIST 800-171’s 110 security practices for most government contractors working with controlled unclassified information (CUI). The CMMC 2.0 framework will be implemented through the rulemaking process and will probably not be finalized until the end of 2022 at the earliest. Once CMMC 2.0 is implemented, the DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.
What has changed between CMMC and CMMC 2.0?
The most notable change is that the original five levels of CMMC have been condensed into three. Here is the complete breakdown of all key differences between CMMC and CMMC 2.0:
- CMMC now has three Levels (instead of five).
- Annual self-assessments are allowed for Level 1 and a portion of Level 2.
- An annual affirmation by company leadership is required for self-assessments.
- CMMC 2.0 Level 1 has 17 practices.
- Most government contractors working with CUI will be at the new CMMC 2.0 Level 2.
- CMMC 2.0 Level 2 may require a third-party assessment.
- CMMC 2.0 Level 2 has 110 practices and mirrors NIST 800-171.
- Cybersecurity maturity processes are no longer required.
- CMMC 2.0 Level 3 will be based on a subset of NIST 800-172.
- Level 3 will only be required for the highest priority, most critical defense programs and will require government-led assessments.
- POAMs are allowed but are strictly time constrained and can only be used for a subset of practices.
- CMMC 2.0 will be implemented over the next year or two.
If you’re panicked about the new CMMC structure and/or worried about the cost and speed of adopting the framework, don’t be. As one of the first candidate CMMC-AB C3PAOs in the country, Rimstorm provides a turnkey compliance solution, GovCon Enclave™. We also perform gap analyses and pre-certification assessments for DoD contractors, to help you achieve and maintain full NIST 800-171 and CMMC 2.0 compliance.
Contact us today for vital assistance in becoming fully compliant.