What's new in CMMC 2.0?

CMMC 2.0 Changes

 November 4th, 2021, was a big day for the cybersecurity world as the Department of Defense announced CMMC 2.0 to revamp the CMMC framework. We’ve summed up the fundamental changes below.

 

Reduction of Certification Levels

 The most notable change announced in CMMC 2.0 is the reduction of certification levels. Previously there were five levels, but levels 2 and 4 have been removed, reducing the number of certification levels to 3. According to the DoD, they removed levels 2 and 4 because they were transition levels that were not entirely necessarily and only served to slow down the certification process. Now the levels are as follows:

  Level 1 – This level now includes an annual self-assessment, and organizations must post info to SPRS to remain compliant.

         Level 2 – This level is required for those with DFARS 252.204-7012 in their contracts. At this level, some organizations will require certification by a third-party assessor every three years, whereas some will require annual self-assessments. 

         Level 3 – Requires government-led assessments based on NIST SP 800-172.

 

Assessment Changes

 One of the most drastic changes in CMMC 2.0 is that a third-party organization is no longer required to perform all certification assessments. Under the new framework, level 1 certification and some level 2 certifications will only need an annual self-assessment. 

 Prioritized acquisitions that require level 2 certification will need to adhere to the previous third-party assessments every three years. Level 3 certifications will require government assessments every three years. 

 

POA&Ms Are Now Allowed, but with Restrictions

 Under the new CMMC 2.0 framework, contractors will be permitted to implement time-limited Plans of Action and Milestones (POA&Ms) to achieve certification. The DoD will also provide specifications on minimum scores for a POA&M. Some critical assessment objectives will not be allowed on a POA&M and must be implemented immediately. These details will be released after final rulemaking occurs.

 

 Streamlining the Process

 CMMC 2.0 will only draw from the NIST SP 800-171 and NIST SP 800-172 to create cybersecurity standards. It will no longer have practices that were drafted explicitly for the CMMC framework. Additionally, it will not have methods that were pulled from other domestic and international cybersecurity standards.

 

Elimination of Maturity Processes

 CMMC 1.02 previously required evaluations of the cybersecurity processes and practices, and practices evaluated technical details, whereas processes assessed the extent of institutionalization of those practices. Under the new model, evaluations will not be required for the maturity process; they will only be necessary for the practices themselves.

 

CMMC 2.0 Implementation Timeline

 The final rulemaking process takes between 9 and 24 months. As a result, these changes should be implemented between August of 2022 and November of 2023. The DoD is considering providing incentives to contractors that achieve certification while implementation is taking place. 

 

For more information, please send us a message. We are here to help!

 

By: Alex O’Reilly

 

Sources: https://www.acq.osd.mil/cmmc/about-us.html

 https://www.jdsupra.com/legalnews/dod-revamps-contractor-cybersecurity-3642824/

 https://www.bakertilly.com/insights/cmmc-2.0-five-key-changes-for-government-contractors

 

Amanda AdamsGSec LLC#gsecllc, #cyber, #cybersecurity, #compliance, #defensecontracting, #dod, #readiness, #security, #technology, #veteranowned, #womanowned, #wosbComment