The Cybersecurity Maturity Model Certification (CMMC) program is undergoing significant modifications. The redesigned program is known as “CMMC 2.0,” It was first announced in a Preliminary Announcement of Proposed Rulemaking on November 4, 2021. This new accreditation methodology aims to simplify compliance for defense contractors and suppliers by reducing red tape, simplifying cybersecurity legislative and organizational obligations, and streamlining the present CMMC tiers and requirements. It also gives vendors some leeway if they don’t satisfy all CMMC solution standards.
CMMC 2.0, in particular, has strategic modifications that allow it to better connect with other federal cybersecurity frameworks, such as the Federal Information Security Manag cmmc solution ement Act, rather than having wholly distinct criteria. For example, levels 2 and 4 adherence have been eliminated from CMMC 2.0 since they include practices and maturity procedures that are distinct to the CMMC program.
The Department of Defense (DoD) has said that it would not use CMMC 2.0 as a foundation for evaluation until the requisite regulation has been completed to implement the program. CMMC 2.0 is planned to be implemented over the next 9 to 24 months, including revisions to Part 32 (DoD rules) and Part 48 DARS of the Code of Federal Regulations.
Contractors are urged to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 regulations, as the DoD has discontinued its existing CMMC pilot programs. This isn’t to say they shouldn’t begin planning for the CMMC 2.0 implementation as soon as possible.
What are the significant alterations in CMMC 2.0?
The improvements to CMMC are intended to improve transparency in implementing cybersecurity requirements while reducing compliance issues. Contractors and subcontractors should be aware of three significant changes in CMMC 2.0:
1. A three-tiered approach rather than a five-tiered model
The five-level model of CMMC 1.0 will be replaced with a three-tiered process of cybersecurity requirements in CMMC 2.0. Each CMMC 2.0 corresponds to separately defined requirements such as NIST and FAR standards. The new approach will also eliminate CMMC-specific procedures, reducing reliance on third-party evaluators.
The following are the tiers of criteria for CMMC 2.0’s revised three models:
Level 1 (Foundational) — In CMMC 2.0, Level 1 is the same as Level 1 in the CMMC 1.0 paradigm. It necessitates yearly self-evaluations and certifications and the same 17 practices developed from FAR 52.204-21, which specifies fundamental cyber hygiene required to secure federal contract information (FCI).
Level 2 (Advanced) – In CMMC 2.0, Level 2 corresponds to Level 3 in the previous CMMC compliance requirements paradigm. Emphasized procurements and non-prioritized purchases are the two types of acquisitions. The division depends on the sensitivity of the controlled unclassified information (CUI) implicated; for example, CUI linked to military hardware will be classified as prioritized acquisitions, whereas CUI relating to military clothing will be categorized as non-priority purchases.
These two groups have entirely different evaluation needs. Non-prioritized purchases simply require a yearly self-assessment; however, prioritized procurements will demand triennial evaluations by a recognized third-party assessing organization (C3PAO).
There are 110 practices in the new CMMC 2.0 Level 2 model, down from 130 in the CMMC 1.0 framework, all of which are linked with NIST SP 800-171 controls.
Level 3 (Expert) – In CMMC 2.0, Level 3 is intended to displace Levels 4 and 5 in the prior model, and it is completely compliant with NIST requirements. It will necessitate government-led evaluations every three years, rather than C3PAO-led evaluations. Level 3 accreditation will also fully comply with the NIST SP 800-172 checks, in addition to the 110 controls necessary for Level 2 certification.
2. More flexible evaluation standards
The Department of Defense will enable all Level 1 and a subset of Level 2 enterprises to perform yearly self-assessments under CMMC 2.0, but only after the Defense Industrial Base has granted its approval. This implies that firms who only handle FCI and not CUI will avoid some of the hassles and expenses connected with 3rd party cybersecurity guidelines execution audits.
3. Waivers and POAMs
The Department of Defense will enable select organizations that deal with sensitive declassified DoD data to achieve adherence standards through plans of action and milestones (POAMs) rather than real compliance once CMMC 2.0 is implemented. Vendors or suppliers may be given agreements in restricted circumstances as they work toward complete compliance.
Contractors and subcontractors that want to use a POAM to satisfy CMMC 2.0 criteria should get a required minimum rating. In addition, they must complete POAMs 180 days after receiving a contract. If they execute all of the restrictions within that period, the awarding officer may terminate the agreement. Furthermore, POAMs will not be accepted by the Department of Defense for “highly weighted” controls.