In November 2021, the Department of Defense(DoD) suspended CMMC 1.0 and announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review. The implementation of CMMC 2.0 is anticipated to take 9-24 months.
What are the changes from CMMC 1.0 to CMMC 2.0?
CMMC 2.0 looks to simplify the levels of assessment from 5 levels to 3 and naming those levels for further clarification. The DoD has decided that CMMC 2.0 consists of a total of three Levels:
- Level 1 Foundation was Level 1 Basic. Technical requirements here have no major changes. CMMC Level 1 Practice Areas and Controls.
- Level 2 Advanced was previously Levels 2 and 3; and Level 4 will track directly to (NIST) Special Publication (SP) 800-171(PDF)
- Level 3, which was previously Level 5, and Level 3 will track to a subset of requirements from NIST SP 800-172(PDF)
Main assessment changes
- Level 1 will at this time consists of self-assessments with an annual affirmation from a C-suite officer that the company meets the Level 1 requirements. Preparing for a CMMC Assessment. In short, Level 1 changed from a full assessment(1.0) to self-attestation(2.0). The benefit of this change means a reduction in the cost of becoming CMMC compliant, a wider selection of experts that can assist for companies that only have to meet Level 1.
- Level 2 has a hybrid approach of controlled unclassified information (CUI) into two categories: prioritized and non-prioritized. Companies requiring access to prioritized CUI will be required to undergo a third-party assessment from a certified third-party assessing organization (C3PAO), just like under CMMC 1.0. Companies requiring access to non-prioritized CUI will make a similar affirmation that is required under Level 1 and be permitted to perform a self-assessment, like the existing NIST SP 800-171 self-assessment already required to be posted in the Supplier Performance Risk System. The DoD will be posting more details on assessment guides, and scoping guidance as they become available.
- Level 3 requires triennial assessments which will be performed exclusively by Government officials, not C3PAOs. Preparing for a CMMC Assessment with advisory services.
Plans of action and milestones (POAM) and waivers
With CMMC 2.0 DoD plans to allow companies a POAM to be awarded contracts, however, a certain baseline will need to be met. DoD plans to establish a minimum score requirements and the highest weighted requirements cannot be on the POAM.
DoD will be able to approve waivers, but only when a waiver is necessary to accomplish mission-critical work. These waivers will be strictly time-limited and can only be approved by senior DoD personnel.
What is Project Spectrum?
The DoD has developed Project Spectrum to help DIB contractors assess their cyber readiness and begin adopting sound cybersecurity practices.
The DoD is also exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC 2.0 certification in the interim period, the department will be providing more information when available.
Need Expert Help?
As a CMMC Provisional C3PAO and RPO, MPG’s assessment and end-to-end cybersecurity delivery capabilities ensure CMMC customers receive thorough guidance available at any required CMMC level as well as offering strategic services to prepare an organization for CMMC success.