CMMC 2.0 is announced – what does this mean for contractors?
By Matt Malarkey | Date published: 25 November 2021
The five-year implementation time allows defense contractors in the DoD supply chain who process sensitive government information to obtain CMMC certification, demonstrating the level of cybersecurity maturity required in their respective DoD contracts.
However, in November 2021, following a review as part of the Biden Administration’s effort to enhance the security of the US supply chain, the DoD announced its proposed changes to the CMMC program. Under the new approach, which has yet to be officially implemented, the CMMC framework would be updated and significant changes made to the requirements for contractors. These changes are now progressing through the rulemaking process and are expected to be introduced in the next 9 – 24 months.
What has changed for CMMC 2.0?
CMMC 1.0 consisted of 5 different levels, whilst the new framework has simplified this down to three levels and removed some of the requirements for third-party assessments at the lower maturity levels.
[Image from https://www.acq.osd.mil/cmmc/about-us.html]
- CMMC Level 1
- This foundational level will remain the same as the current CMMC level 1, with 17 practices as part of the certification. The main change to this level is that compliance will now be based on an annual self-assessment rather than a third-party assessment.
- CMMC Level 2
- This equates to level 3 in CMMC 1.0 but has been reduced to 110 practices which are aligned to NIST 800-171 – the CMMC-specific security practices included in v1.0 have been removed. This level can be either self-assessment or third-party assessment, depending on the nature of the contract and information handled.
- CMMC Level 3
- Although the practices for this level have not been fully defined yet, they will be based on NIST 800-172 and will require triennial government-led assessments.
As well as the move away from third-party assessment for all the levels, CMMC 2.0 introduces the ability for companies, under certain limited circumstances, to make Plans of Action & Milestones (PoAMs) if not all requirements are met. This enables the DIB organizations to move forward on their contracts whilst simultaneously closing any compliance gaps. Waivers to CMMC certification will also be allowed in limited circumstances.
Why the requirements have changed for CMMC 2.0
Following a review of the existing framework by the DoD, CMMC 2.0 was announced. The aim of this was to introduce a more streamlined model that aligned with widely accepted standards, such as NIST. The changes are also intended to reduce assessment costs through the introduction of self-assessments for the foundational levels. With the introduction of Plans of Action & Milestones (PoAMs) to achieve certification in certain circumstances, it has made the scheme more flexible and easier to implement.
Benefits of the changes from CMMC 1.0 to CMMC 2.0
The changes to the requirements will give a lot more flexibility to contractors in how they can become compliant, with self-assessment becoming an option for so many of them. This means that it will be simpler and cheaper for many smaller contractors, who will no longer need to seek third party assessment. The reduction in the number of levels for CMMC and the number of practices at each level means that it will be a more straightforward process to become compliant, and many of the DIB organizations should already be fully level 2 compliant if they have NIST 800-171 compliance requirements from existing contracts. The introduction of PoAMs will also make it more manageable for organizations to not disrupt their work whilst closing any compliance gaps in a reasonable timeframe.
The alignment to the NSIT frameworks, specifically NIST 800-171 for level 2 and NIST 800-172 for level 3, means that organizations already working to these frameworks will find it easier to meet the requirements of CMMC v2.0.
What to do going forward with CMMC compliance?
Whilst the rulemaking effort is ongoing, the DoD intends to suspend the current CMMC piloting effort and will not approve inclusion of a CMMC requirement in any DoD solicitations, so there will not be any immediate requirement for CMMC for contractors to consider.
The official rollout of CMMC v2.0 is likely to happen between July 2022 and November 2023. However, the DoD have stated that they are exploring opportunities to provide incentives for contractors who voluntarily obtain CMMC certification in the interim.
This places greater focus on contractors’ NIST 800-171 compliance in the short term. So, in the meantime, if you think that you will have contractual requirements to obtain CMMC certification in the future, ensuring that you are compliant with the requirements of NIST 800-171 would create a solid foundation to build from.
With cybersecurity being defined as a “core national security challenge” and an ongoing area of focus of the Biden Administration, it is important for companies to continue to enhance their cybersecurity posture and to be prepared to comply with the CMMC requirements when the rulemaking process is complete.
Assessing CMMC and NIST 800-171 compliance for the core network with Nipper
If you want to assess the compliance of your core network devices, Nipper is a valuable tool for auditing firewalls, switches and routers, with out-of-the-box capability to evidence compliance with NIST 800-171 and CMMC, as well as other Risk Management Frameworks. Request a free trial to see how the software can benefit your organization.
Achieve compliance with up to 89% of CMMC core network security practices across 9 domains, with Nipper.
- Appointment of New Vice President of Engineering Strengthens Leadership and Innovation at Titania
- Addressing NIST 800-172A enhanced security requirements for configuration management
- PCI DSS V4.0 release - move to security as a continuous process
- Department of Defense urges use of continuous Authorization To Operate (cATO)
As well as the move away from third-party assessment for all the levels, CMMC 2.0 introduces the ability for companies, under certain limited circumstances, to make Plans of Action & Milestones (PoAMs) if not all requirements are met.