What You Need to Know About CMMC 2.0 Changes

What You Need to Know About CMMC 2.0 Changes

The Department of Defense (DoD) has announced major changes to its Cybersecurity Maturity Model Certification (CMMC) program for defense industrial base (DIB) contractors and subcontractors. CMMC 2.0 changes many aspects of the program, which was being designed to verify that DoD contractors had sufficient controls to safeguard sensitive data — including Confidential Unclassified Information (CUI) and Federal Contract Information (FCI).

The government revisions in the program are to address three specific areas:

• Greatly reduce CMMC’s reliance on third-party assessments
• More closely align the program with existing cybersecurity standards
• Provide limited flexibility for contractors and subcontractors that may not meet certain requirements

The release of CMMC 2.0 changes more than the program’s cybersecurity model; It also affects the start of its implementation. While the DoD had intended to start incorporating the program into some defense contracts this year, the changes mean that full adoption of the new program will not take place for possibly another two years.

The DoD has said that CMMC 2.0 compliance will not be a requirement of any contracts until it has completed rulemaking to fully implement the program. The rulemaking process is expected to take between nine and 24 months. It will include changes to both Part 32 (including DoD regulations) and Part 48 (including the Federal Acquisition Regulation (FAR) and Defense Acquisition Regulation Supplement (DFARS) of the Code of Federal Regulations).

A new CMMC government website describes the CMMC 2.0 changes in detail. Today, we’ll go over the major changes planned for the model and how they might affect your planning in getting qualified for DiB contracts in the future.

What’s Changed with CMMC 2.0?

Below are the five biggest changes coming with the advent of CMMC 2.0. Keep in mind, the CMMC model has yet to be fully implemented and codified, and as such, is still marked by shifting goals and metrics. These changes were the results of the first full audits of the program, and you can expect further adjustments in the model as the rulemaking process plays out further.

Reducing the Number of Compliance Levels

The original iteration of CMMC had five compliance levels, numbered 1 through 5, and included designated “transitional” levels at 2 and 4. But CMMC 2.0 changes the number of compliance levels to just three. Here’s how the new compliance levels are defined.

Level 1 (Foundational) — This level is for contractors and subcontractors that handle only FCI as defined in the Federal Acquisition Regulation (FAR). The DoD estimates that approximately 140,000 such companies exist in the DIB.

Level 2 (Advanced) — This level is required for contractors that handle Controlled Unclassified Information (CUI). The DoD estimates that around 80,000 companies handle CUI, and about half of those handle CUI that is considered to be critical national security information.

Level 3 (Expert) — This level is for contractors that work on the most sensitive DoD programs. There are an estimated 500 companies that will need to comply with this level.

Aligning CMMC with Existing Standards

CMMC 2.0 is more closely aligned with existing standards published by the National Institute of Standards and Technology (NIST). Previously, Levels 2, 3, 4, and 5 included various CMMC-specific cybersecurity requirements on top of existing NIST standards. In CMMC 2.0, Level 2 is aligned with NIST SP 800-171, and Level 3 is based on NIST SP 800-172. As before, Level 1 includes 17 practices enumerated in the CMMC program.

Allowing for More Self-Assessments

Originally, CMMC required third-party assessments for all contracts at every compliance level. However, CMMC 2.0 requires third-party assessments for only a limited subset of contractors and subcontractors. The differentiator is CUI — Level 1 and Level 2 contractors that do not handle critical CUI are required only to undergo a self-assessment.

Level 2 contractors that handle CUI deemed to be critical national security information will be required to undergo triennial third-party assessments by a Certified Third-Party Assessment Organization (C3PAO), as they were previously. Level 3 contractors will be audited by an internal DoD division, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center. These assessments will be required triennially.

While self-assessments likely will be less expensive and less extensive than third-party assessments, there’s a catch: self-assessments must be performed annually, whereas third-party assessments were required only every three years.

Allowing POA&Ms to Achieve Certification

In the prior version of CMMC, contractors had to be fully compliant with their required CMMC level prior to being awarded a contract. CMMC 2.0 changes this to allow contractors to still receive contracts if they have Plans of Action & Milestones (POA&Ms) in place to meet those requirements in the future. This won’t be a widespread allowance, as the DoD has said this alternative certification will be allowed only in “certain limited circumstances.”

Adding Waivers to CMMC Requirements

Unlike the prior version of CMMC, CMMC 2.0 will allow waivers on a “very limited basis” in select mission-critical instances upon senior leadership approval.

What This Means For Your CMMC Certification

The DoD previously expected to incorporate CMMC requirements into all DIB contracts by 2026. However, that end date is now in question, given that DoD expects rulemaking to take up to two years before any requirements are incorporated into DIB contracts.

This means if your company was already working toward CMMC requirements, then you should continue to do so, as you’ll have more time to develop plans and actions to comply with the model and address any security gaps. And while CMMC 2.0 changes numerous aspects of the program, it does — as promised — streamline some of the security measure targets for contractors.

For instance, if you were working toward CMMC 1.0 Level 3 clearance before, you’re already on track to acquire CMMC 2.0 Level 2 clearance under the revised program.

Most importantly, if you’re currently working on a contract that includes the DFARS 7012 clause, then you’re already adhering to the future standard set by CMMC 2.0. Why? Because the DFAR 7012 clause dictates that contractors implement NIST SP 800-171 cybersecurity measures, and NIST SP 800-171 is the new standard for CMMC 2.0 Level 2.

Navigate CMMC 2.0 Changes with Inversion6 Technologies

As sanctioned by the CMMC Accreditation Body (CMMC AB), a CMMC Registered Practitioner helps organizations in many ways in their search for certification. By working with a CMMC Registered Practitioner such as Inversion6 Technologies, you’ll be kept up to speed on any new developments in the process, such as those from November 2021 with the announcement of CMMC 2.0.

A CMMC Registered Practitioner provides many benefits for DIB contractors looking to become certified, improve their capabilities, and line up third-party or self-assessments. In addition, a registered practitioner will continue to monitor the development of the CMMC program, including the upcoming rulemaking process for changes to DoD and DFARS regulations, to translate what it means and how it could impact your business.

You can learn more about CMMC, why you need a registered practitioner, and how we’ll guide you through every step in the process in our ebook here.

The ever-evolving CMMC terrain can be intimidating for smaller businesses trying to figure out how they can meet the new clearances governing DoD contractors. We’ve worked for decades to make companies more secure and enable their security systems to reach many industry regulatory and compliance requirements.

Contact Inversion6 to learn more about how our CMMC services can alleviate some of the pressures your business faces as it prepares for the new DoD cybersecurity model.