CMMC 2.0 is here—the Department of Defense (DoD) announced the revamped version of the Cybersecurity Maturity Model Certification (CMMC) on November 4, 2021. CMMC, a cybersecurity compliance program for defense contractors, is intended to verify that contractors are taking the appropriate cybersecurity practices and measures. Contractors in the Defense Industrial Base (DIB) have been following CMMC closely as it’s slowly being phased into notices, requirements, and solicitations.
After considering feedback from industry, Congress, and other stakeholders, the DoD decided to alter CMMC to cut back on costs for small businesses and align the cybersecurity requirements to other federal requirements. In this blog, we’ll unpack CMMC version 2.0 and highlight what contractors need to know about this integral cybersecurity requirement.
The Cybersecurity Maturity Model Certification (CMMC) was developed so defense contractors and beyond could implement the cybersecurity practices and procedures needed to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
CMMC has been a hot topic of discussion since it was released in early 2020. CMMC 1.0 included 5 different security levels companies had to reach depending on the type of work they were performing on their contracts. All contractors were also supposed to be held responsible to hire approved third-party assessors to certify they met the required standards. Some of these requirements have changed in CMMC 2.0.
Under version CMMC 2.0, defense contractors are no longer required to get a third-party certification if they do not handle CUI, which could drastically reduce the cost of compliance. Another big change is the number of levels outlined in CMMC 1.0 will be pared down from 5 levels to 3. All contractors who only have to reach level 1 and a subset of contractors who have to reach level 2 can conduct self-assessments, eliminating the need for a third-party certification. Lastly, CMMC 2.0 will eliminate all CMMC-unique practices and maturity processes.
Here is what each of the 3 levels mean in CMMC 2.0:
CMMC Level 1 Foundational: Requires 17 practices and an annual self-assessment. No third-party certification required.
CMMC Level 2 Advanced: Requires 110 practices that align with NIST SP 800-171 and triannual third-party assessments for critical national security information. Select programs can lead self-assessments instead of third-party assessments.
CMMC Level 3 Expert: Requires 110+ practices based on NIST SP 800-172 with triannual government-led assessments.
According to the Acquisition and Sustainment Office under the Department of Defense, CMMC 2.0 will not become a contractual requirement until the DoD finalizes the rule and starts to implement the certification. This process can take anywhere from 9 to 24 months. However, the DoD still encourages defense contractors to continue to monitor their cybersecurity readiness through Project Spectrum and enhance their cybersecurity posture during this waiting period. It’s important for contractors not to just sit back and relax until CMMC 2.0 becomes codified.
The short answer is no. With the release of CMMC 2.0, the DoD intends to suspend the current CMMC piloting efforts and will not approve CMMC in any DoD solicitation until CMMC 2.0 is finalized and rolled out. However, the DoD is exploring incentives for contractors who voluntarily receive a CMMC certification during this interim period.
As part of the rulemaking process, the Department of Defense will release a comprehensive cost analysis of each level of CMMC 2.0. Since the model is switching to both self-assessments and third-party assessments, and eliminating some CMMC-unique maturity processes, CMMC 2.0 is expected to cost significantly less than CMMC 1.0.
After industry leaders, members of Congress, and stakeholders shared their concern for the burdens and cost of CMMC 1.0, the DoD conducted an internal review of the certification process. In their review and revamp of CMMC, the DoD focused on 3 areas:
As a result of the 3 focus areas, CMMC 2.0 simplifies the cybersecurity standards, removes barriers to compliance, provides more clarity on regulatory, policy, and contractual requirements, and makes it easier to execute.
As we’ve witnessed so far with CMMC, there are a lot of changes to monitor, and the requirements are subject to morph and mold as the Department of Defense figures out what works best. Although the requirements are not finalized and are not currently being implemented in active solicitations, it’s important you keep up with all the latest requirements, so you know how to prepare for the future of CMMC.
For the latest insights and government contracting news on CMMC and beyond, you can check out our blog and sign-up for our monthly newsletter. If you have questions or concerns about keeping up with CMMC or other requirements for your GSA Schedule, you can ask one of our consultants.