Skip to content
Lisa DeVoto November 15, 2021 4 min read

How CMMC 2.0 Impacts US Government Contractors

With the DoD announcement of CMMC 2.0 on November 4, 2021, many companies in the Defense Industrial Base (DIB) are wondering whether CMMC still applies to their future government contracts.

What Has Changed in CMMC

1.  3 Levels Instead of 5

Five levels were initially introduced in CMMC 1.0, although Level 2 and Level 4 were expected to be transitional steps.

CMMC 2.0 uses only three levels:

  • Level 1 – Foundational
  • Level 2 – Advanced (equivalent to the 110 security practices in NIST 800-171)
  • Level 3 – Expert (a subset of NIST SP 800-172 requirements)

CMMC 2.0

from Acquisition & Sustainment, Office of the Under Secretary of Defense

2.  Self-Certification May Be an Option for You

Initially, CMMC did not allow for self-certification at any level.

This has changed in CMMC 2.0.

For each level, certification is expected to work as follows in CMMC 2.0:

Level 1 – all Level 1 companies can self-certify

Level 2 – a subset of Level 2 companies will be able to self-certify, and others will need to hire an outside assessor (C3PAO) to perform an assessment

Level 3 – all Level 3 companies will require an assessment by the government

Contractors that only need to meet Level 1 of CMMC are those that are protecting Federal Contract Information (FCI), not Controlled Unclassified Information (CUI).

FCI is information not intended for public release that is provided by the US government under a contract to develop or deliver a product or service to the government but not publicly available information, such as on websites

CUI is information the US government creates or possesses that a law, regulation, or government-side policy requires or permits an agency to handle using safeguarding or dissemination controls

3.  Fewer Assessments for C3PAOs

Certified Third-Party Assessment Organizations (C3PAO) will continue to be part of the CMMC ecosystem and provide assessments to some organizations seeking Level 2 compliance.

Since all Level 1 companies will be able to self-certify, as well as some Level 2 companies, fewer assessments will require a C3PAO.

4.  POA&Ms Can Be Used for Compliance

Plans of Action with Milestones (POA&M) serve as written plans of how an organization will meet compliance in the future. POA&Ms were used by companies to show compliance with NIST SP 800-171 but were not originally sufficient to show compliance with CMMC.

In CMMC 2.0, it is expected that POA&Ms will be an acceptable form of remediation for certain CMMC practices.

Even without knowing if you will be able to use a POA&M to show CMMC compliance, POA&Ms are of value to all companies in strengthening their security posture, as are System Security Plans (SSP).

What Hasn't Changed in CMMC 2.0 

The DoD is still moving forward with CMMC.

The CMMC Accreditation Body (CMMC-AB) continues to have an exclusive contract with the DoD authorizing the CMMC‑AB to operationalize CMMC assessments and training.

The Supplier Performance Risk System (SPRS) will continue to be used by contractors not handling CUI (Level 1 and some Level 2) to register self-assessments and affirmations.

Why CMMC Changed

  1. Concerns that many small businesses (with limited resources) would be unable to comply with CMMC as originally planned
  2. Multiple cybersecurity requirements and regulations were confusing for contractors
  3. A limited number of third-party assessor organizations, C3PAOs, available to perform assessments

Impact of CMMC 2.0 on Contractors

The new iteration of CMMC still aligns with the original goal of protecting information in government supply chains, and also:

  • Simplifies and provides clarity on the requirements
  • Limits outside third-party assessments to contractors supporting the highest priority programs
  • Increases oversight of the assessment ecosystem

By minimizing barriers to compliance, CMMC 2.0 makes it easier for contractors to adopt cybersecurity controls and meet the compliance requirements.

 

cmmc-levels

What Will CMMC 2.0 Cost?

Your costs to comply with CMMC will vary based on the contract requirement for your CMMC level and the complexity of your IT infrastructure.

But compared to the first iteration of CMMC, costs to comply across the DIB will be lower due to the number of companies that will not require an assessment by a C3PAO (Level 1 and some Level 2 companies).

Timeline for CMMC 2.0

The CMMC requirement will not be included in any DoD contract until CMMC 2.0 is finalized and rulemaking is completed, which is expected to take 9-24 months from the date of announcement on November 4, 2021.

CMMC

Actions to Take Now to Prepare for CMMC

With the announcement of CMMC 2.0, the DoD has issued guidance for ways a DIB company can become more secure.

  1. Educate employees on cyber threats
  2. Implement access controls
  3. Authenticate users
  4. Monitor your physical space
  5. Update security protections

Corserva Compliance Consulting Services

RPOCorserva is a CMMC-AB Registered Provider Organization™ (RPO), and we are listed on the CMMC-AB Marketplace.

As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors.

Corserva has created an easy process to enable you to get ready for a CMMC assessment and comply with CMMC.

Corserva offers:

  • Pre-assessment readiness services for CMMC
  • Technical remediation to correct gaps in compliance
  • Assessments for NIST 800-171
  • Customized cybersecurity programs

REQUEST A QUOTE

avatar

Lisa DeVoto

Lisa has 25+ years of experience working for technology companies in B2B marketing and technical communications. She is driven to help people solve problems through educational content. Lisa has an MBA from University of Connecticut and a BS in Computer Science from Rensselaer Polytechnic Institute.