Fortunately, the Department of Defense’s months-long review of CMMC 1.0 has resulted in a more streamlined standard that, despite a number of key changes that will take immediate effect once the rule-making process concludes, ultimately will help simplify programs across the DIB.
Here are two key changes brought forth by the CMMC 2.0, as well as key deliverables to consider.
The most notable change with CMMC 2.0 is the reduction in Levels from 5 to 3.
Level 1 – 17 practices (aligned with FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems)
Level 2 – 110 practices (aligned with NIST SP 800-171 + Level 1 requirements)
Level 3 – 110+ practices (aligned with NIST SP 800-172 + Level 2 requirements)
As described, these levels are determined by required security practices and controls, NIST 800-171 and 800-172 in particular, rather than maturity processes as in CMMC 1.0.
Under CMMC 2.0, organizations will be able to self-assess on a tiered status. That being said, the CMMC-AB will continue accrediting CMMC 3rd Party Assessor Organizations (C3PAOs), and the DoD will have more oversight into assessments, primarily at Level 3.
The expanded self-assessment eligibility permitted under CMMC 2.0 includes:
Level 1 – Annual self-assessments, with company self-certification of compliance.
Level 2 – Two approaches: Triennial third-party assessments for “critical national security information” and annual self-assessments (as in Level 1) for other programs. Third-party assessments will be conducted by the C3PAOs.
Note: specific language clarifying requirements for each approach will be included in the contract, but for now, the distinguishing factors remain unclear.
Level 3 – Government-level assessments required from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
While it could take up to a year for CMMC 2.0 to complete the federal rulemaking process, organizations would be wise to begin implementation procedures as soon as possible, given the provisions of CMMC 2.0 will be effective immediately upon approval. If you’re a member of the DIB, here are two simple ways to make sure you’re prepared for 2.0.
NIST 800-171 is now the law of the land. Since it will be the standard for both self and third party assessments under CMMC 2.0, the DIB community should ensure their protocols are as aligned as possible. For more sensitive DoD contracts and data, the same can be said for the NIST 800-172.
Shortly after the DoD announced its changes to CMMC, it stipulated it may implement financial incentives for organizations who voluntarily submit for early CMMC 2.0 changes. If your organization was preparing for CMMC Certification under the original framework, applying for early 2.0 Certification may benefit you in more ways than one.
Want to learn more about how to prepare for CMMC 2.0? Get in touch with a member of our team below.
Subscribe to our newsletter and get the latest cybersecurity insights, updates, and event invitations delivered straight to your inbox. Join our community and empower your security journey with RISCPoint's expert knowledge.
Join our newsletter for updates. Terms.
Get ready to harmonize your cybersecurity goals with our team of industry-leading consultants.
