With the DoD announcement of CMMC 2.0 on November 4, 2021, many companies in the Defense Industrial Base (DIB) are wondering whether CMMC still applies to their future government contracts.
What Has Changed in CMMC
1. 3 Levels Instead of 5
Five levels were initially introduced in CMMC 1.0, although Level 2 and Level 4 were expected to be transitional steps.
CMMC 2.0 uses only three levels:
- Level 1 – Foundational
- Level 2 – Advanced (equivalent to the 110 security practices in NIST 800-171)
- Level 3 – Expert (a subset of NIST SP 800-172 requirements)
2. Self-Certification May Be an Option for You
Initially, CMMC did not allow for self-certification at any level.
This has changed in CMMC 2.0.
For each level, certification is expected to work as follows in CMMC 2.0:
Level 1 – all Level 1 companies can self-certify
Level 2 – a subset of Level 2 companies will be able to self-certify, and others will need to hire an outside assessor (C3PAO) to perform an assessment
Level 3 – all Level 3 companies will require an assessment by the government
Contractors that only need to meet Level 1 of CMMC are those that are protecting Federal Contract Information (FCI), not Controlled Unclassified Information (CUI).
FCI is information not intended for public release that is provided by the US government under a contract to develop or deliver a product or service to the government but not publicly available information, such as on websites
CUI is information the US government creates or possesses that a law, regulation, or government-side policy requires or permits an agency to handle using safeguarding or dissemination controls
3. Fewer Assessments for C3PAOs
Certified Third-Party Assessment Organizations (C3PAO) will continue to be part of the CMMC ecosystem and provide assessments to some organizations seeking Level 2 compliance.
Since all Level 1 companies will be able to self-certify, as well as some Level 2 companies, fewer assessments will require a C3PAO.
4. POA&Ms Can Be Used for Compliance
Plans of Action with Milestones (POA&M) serve as written plans of how an organization will meet compliance in the future. POA&Ms were used by companies to show compliance with NIST SP 800-171 but were not originally sufficient to show compliance with CMMC.
In CMMC 2.0, it is expected that POA&Ms will be an acceptable form of remediation for certain CMMC practices.
Even without knowing if you will be able to use a POA&M to show CMMC compliance, POA&Ms are of value to all companies in strengthening their security posture, as are System Security Plans (SSP).
What Hasn't Changed in CMMC 2.0
The DoD is still moving forward with CMMC.
The CMMC Accreditation Body (CMMC-AB) continues to have an exclusive contract with the DoD authorizing the CMMC‑AB to operationalize CMMC assessments and training.
The Supplier Performance Risk System (SPRS) will continue to be used by contractors not handling CUI (Level 1 and some Level 2) to register self-assessments and affirmations.
Why CMMC Changed
- Concerns that many small businesses (with limited resources) would be unable to comply with CMMC as originally planned
- Multiple cybersecurity requirements and regulations were confusing for contractors
- A limited number of third-party assessor organizations, C3PAOs, available to perform assessments
Impact of CMMC 2.0 on Contractors
The new iteration of CMMC still aligns with the original goal of protecting information in government supply chains, and also:
- Simplifies and provides clarity on the requirements
- Limits outside third-party assessments to contractors supporting the highest priority programs
- Increases oversight of the assessment ecosystem
By minimizing barriers to compliance, CMMC 2.0 makes it easier for contractors to adopt cybersecurity controls and meet the compliance requirements.
What Will CMMC 2.0 Cost?
Your costs to comply with CMMC will vary based on the contract requirement for your CMMC level and the complexity of your IT infrastructure.
But compared to the first iteration of CMMC, costs to comply across the DIB will be lower due to the number of companies that will not require an assessment by a C3PAO (Level 1 and some Level 2 companies).
Timeline for CMMC 2.0
The CMMC requirement will not be included in any DoD contract until CMMC 2.0 is finalized and rulemaking is completed, which is expected to take 9-24 months from the date of announcement on November 4, 2021.
Actions to Take Now to Prepare for CMMC
With the announcement of CMMC 2.0, the DoD has issued guidance for ways a DIB company can become more secure.
- Educate employees on cyber threats
- Implement access controls
- Authenticate users
- Monitor your physical space
- Update security protections
Corserva Compliance Consulting Services
Corserva is a CMMC-AB Registered Provider Organization™ (RPO), and we are listed on the CMMC-AB Marketplace.
As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors.
Corserva has created an easy process to enable you to get ready for a CMMC assessment and comply with CMMC.
- Pre-assessment readiness services for CMMC
- Technical remediation to correct gaps in compliance
- Assessments for NIST 800-171
- Customized cybersecurity programs