Your CMMC 2.0 Questions Answered

There are ongoing challenges for the defense industrial base (DIB) with the new CMMC 2.0 requirements. It is our top priority to answer some of your most pressing questions and keep you informed.

 
fly-d-OLRXnzXFBjo-unsplash.jpg
 

What is CMMC 2.0?      +


CMMC 2.0 is a set of cybersecurity requirements that serve as an extension of (DFARS 252.204-7012) based on NIST 800-171 that must be assessed and audited to become certified to do business with the Department of Defense (DoD). CMMC 2.0 is not only about enforcing compliance but about protecting you and the entire DIB from potential cyber-attacks that would expose Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Here is a summary of changes and what they mean to your organization:
There are now three levels instead of five
• Levels 2 & 4 have been eliminated

Level 1 (FCI) now includes an annual self-assessment/attestation
• Must post info to SPRS

Level 2 = NIST 800-171**
• Required now for those with DFARS Clause 7012
• Formerly CMMC L3 minus CMMC specific practices/maturity processes
• Split – some organizations will require certification by a 3rd Party Assessor every three years; some will require annual self-assessments

Level 3 will require government-led assessments based on NIST SP 800-172
• Formerly CMMC L5

POA&Ms are allowed with restrictions
• Time-bound and enforceable
• No 5-point items (highest weighted requirements from DoD Assessment Methodology AKA the SPRS Score Spreadsheet)
• DoD will establish a minimum score requirement to support certification with POA&Ms before contract award
• Minimal waivers will be granted under a specific approval process

• The rulemaking process takes ~9-24 months, so expect these changes to take effect before November 2023

More information can be found here: https://www.acq.osd.mil/cmmc/

Why was it created?      +


As our nation increasingly expands its use of technology, we are becoming more vulnerable to cyber-attacks. Over the last decade, we have experienced data breaches that have negatively impacted hundreds of millions of Americans. As the US expands its reliance on technology, cybersecurity vulnerabilities have multiplied over the years. The DoD estimates over $600 billion per year of CUI theft from the Defense Industry IT Networks. Recent attacks on the US government have made it clear that our cybersecurity efforts must be our top priority to keep us safe and resilient.

What are the levels of CMMC?     +


CMMC 2.0 consists of three levels, with each increasing in complexity. The clarification on what level of certification you need depends on the sensitivity of your work, and our Registered Practitioners can help you determine what level is most appropriate for you.

- Level 1 — Federal Contract Information
- Level 2 — Based on NIST 800-171
- Level 3 — Based on NIST 800-172