The Cybersecurity Maturity Model Certification (CMMC) was created as a way to protect the defense industrial base from frequent, complex cyberattacks. The unified standard was initiated by the DoD in response to serious compromises of sensitive defense information that supports the warfighters.
Version 1.0 of the Cybersecurity Maturity Model Certification was released by the DoD on January 31, 2020. This highly-anticipated program was drafted with substantial input from the University Affiliated Centers and Federally Funded Research and Development Centers. Before the release of version 1.0, contractors were tasked with implementing, certifying and monitoring the security of their information systems, as well as sensitive information stored and transmitted on these systems.
On November 4, 2021, CMMC version 2.0 was released. Along with news of the release, a document was posted on the federal register that outlined several key points about DoD requirement modifications that differ from the first version. One of the biggest changes was the consolidation from 5 levels to 3 levels.
What Is CMMC Version 2.0?
The launch of CMMC 2.0 has arrived after an internal DoD review of the program that first started in March 2021. The new strategic direction was taken based on industry feedback of the interim DFARS rule. CMMC version 2.0 is expected to have a significant impact on the defense industrial base (DIB) and cause far-reaching implications across the CMMC ecosystem.
With the release of CMMC 2.0, it is clear that the cybersecurity compliance program has been pared down in both scope and expectations. Version 2.0 no longer requires every contractor to obtain third-party certification if they do not come in contact with controlled unclassified data. This is a major change that could ultimately decrease the cost of compliance for many contractors.
CMMC 2.0 is expected to significantly strengthen the cybersecurity of the DIB. These updates aim to support businesses in the adoption of cybersecurity practices needed to eliminate the barriers to compliance. Under the new CMMC model, the total number of security tiers has been reduced from five to three, and some novel maturity practices have been completely removed from the standard.
Defense contractors are most likely to feel the effects of CMMC version 2.0. However, they are not the only group that will be impacted by these changes. Consultants, accessors, trainers and many other cyber experts were expecting to help meet the demand of more than 300,000 defense contractors who currently conduct business with the DoD. With changes in version 2.0, the majority of contractors who do not work directly with sensitive programs will only be required to undergo level one assessment.
What are the 3 Levels of CMMC 2.0?
In CMMC version 1.0, levels 2 and 4 were developed as transition levels. Version 2.0 of the Cybersecurity Maturity Model Certification has done away with these two levels, leaving behind just three levels. These include:
Level 1 (Foundational Level)
Level 1 of CMMC 2.0 is referred to as the ‘foundational’ level. This level only applies to organizations that possess federal contract information (FCI). It does have similarities to level 1 of CMMC 1.0 and focuses on the protection of FCI to protect covered contractor information systems and to limit access to sensitive information by authorized users. CMMC 2.0 level 1 is based on a total of 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contract Information.
Level 2 (Advanced Level)
The second level of CMMC 2.0 is called the ‘advanced’ level and targets organizations that work with CUI. This level is comparable to level 3 of CMMC 1.0. CMMC 2.0 level 2 requirements include those found in NIST SP 800-171 but eliminate all maturity processes and practices that were unique to CMMC. Level 2 now aligns with 14 control families and 110 security controls that were developed by the National Institute of Technology and Standards (NIST) to keep sensitive information safe.
Level 3 (Expert Level)
The third and final level of CMMC version 2.0 is the ‘expert’ level. Level 3 focuses on decreasing the risk from Advanced Persistent Threats (APTs) and is suitable for organizations that work with high priority CUI, meaning it is critical to national security. This level is comparable to level 5 of CMMC 1.0. While the DoD continues to determine the specific security requirements for CMMC 2.0 level 3, it is expected that these requirements will be based on the 110 controls on NIST SP 800-171, as well as the subset of NIST SP 800-172 controls.
What Changes Occurred with CMMC 2.0?
The Department of Defense has stated that the rulemaking process is expected to take between nine and 24 months. Due to these ongoing rulemaking efforts, the DoD has temporarily suspended all mandatory CMMC certification and pilot efforts. During this time, the DoD will not approve the inclusion of any CMMC requirement until the rulemaking has been completed. Currently, the DoD is considering whether to provide contractors with incentives to voluntarily attain their required CMMC level before the completion of the rulemaking process.
Before getting started with CMMC 2.0 compliance, it is important to understand what changes have occurred since the first version’s release. Here is a look at these changes and the impact they have had on the industry.
Change 1: From 5 to 3 Compliance Levels
The most noticeable change of CMMC 2.0 is the simplification of the maturity model from five compliance levels to just three. Maturity level 1 remains unchanged with 17 practice requirements that reflect the cybersecurity practices found in FARS 52.204-21. CMMC level 2 takes the place of the previous level 3 but is absent of the delta 20 practices, which aligns this level with 110 practices of NIST SP 800-171. Level 3 takes the place of the previous maturity levels 4 and 5 but is still under development.
The biggest impact from the change from five to three compliance levels is the removal of the delta 20 practices from maturity level 2. The CMMC-AB assumed that the majority of organizations would not try to achieve maturity level 2 certification as this level was an intermediate step. The removal of delta 20 practices better aligns the requirements of handling CUI with the guidelines found under NIST 800-171.
Change 2: Elimination of All Maturity Processes
There were a total of five maturity processes in CMMC 1.0 that included performed, documented, managed, reviewed and optimized. In version 2.0, all maturity processes are eliminated. This previous criteria was one of the main challenges in achieving certifications due to the level of effort involved and the lack of guidance provided.
Change 3: Assessments for OSCs
The new maturity level 1 will allow for self-assessments by organizations seeking certification (OSCs). Certified third-party assessor organizations (C3PAOs) will be tasked with assessing a subset of OSCs that wish to acquire maturity level 2. However, level 3 assessments will be conducted by C3PAOs and the government. The government is expected to lead the 800-172 aspect with C3PAOs responsible for the 800-171 portion of the assessment.
This joint type of third-party assessments will only apply to OSCs that handle contracts with information that has been deemed critical to national security. The impact of this change is fewer third-party assessments and an increase in self-assessments. CMMC 2.0 ensures that the majority of the DIB will not have to pay to undergo a third-party assessment.
Change 4: Inclusion of POA&Ms
Organizations were once able to use a Plan of Action and Milestones, or a POA&M, to remediate certain findings while continuing on their path to certification. This was not the case with CMMC 1.0. However, the updated CMMC 2.0 announced it would allow for the allowance of time-bound, enforceable POA&Ms in support of CMMC certification, except for a small subset.
The impact of this change is more flexibility for OSCs to pass a certification assessment without having to implement all required practices perfectly. The only requirement for OSCs is that they use POA&Ms based on guidelines that have not been fully released yet.
Change 5: Waivers May Be Permitted
Unlike the original framework, CMMC version 2.0 may allow waivers of certification in very limited circumstances. The roll-out of the program over five years intended for an increasing number of contracts to have the DFARS clause. However, before an OSC could be awarded a contract with a CMMC DFARS clause, they would first need certification.
The impact of this change is a limited basis for mission-critical instances. With a waiver, an OSC would be excluded from CMMC 2.0 requirements. The DoD has expressed senior leadership reserves the right to grant waivers for mission-critical instances. Specifics are forthcoming and will be implemented as part of the rulemaking process.
Change 6: CMMC-AB Will Be an Accreditation Body
Under CMMC 2.0, the CMMC-AB continues to be the accreditation body for CMMC assessors, C3PAOs and CMMC Assessor Instructor Certification Organizations (CAICOs). However, the AB must first acquire compliance with the ISO/IEC 17011:2017 standard to accredit conformity assessment bodies, which are the C3PAOs. C3PAOs are required to comply with the Conformity assessment for inspection bodies, ISO/IEC 17020:2012.
Request a Consultation with the Experts at Vaultes
One of the most common questions regarding CMMC 2.0 is who needs this certification? Unlike CMMC version 1.0 which required all DoD contractors to have third-party assessments to meet compliance, version 2.0 assessment requirements are clearer and more simplified. Requirements are mostly based on the type of information that a DIB organization works with and how critical it is to national security.
Defense contractors who are interested in getting started with CMMC compliance should start by becoming familiar with the 110 controls in NIST 800-171. Preparation to meet these controls can be a lengthy process that varies greatly based on your current cybersecurity posture. For more information about the requirements for the three CMMC 2.0 levels, or how to prepare, contact the cybersecurity consultants at Vaultes online or over the phone at 202.868.8850.