The basic premise of the CMMC is to ensure that by 2025, all the DoD supply chain contractors and subcontractors, except for the providers of commercial-off-the-shelf products, should get a third-party certification for their proficiency in cybersecurity before embarking on the awarded contract.
CMMC was established for a good reason; there was an increase and the sophistication of cybersecurity threats. The Department of Defense had enough compelling evidence the contractors had insufficient compliance with the existing cybersecurity self-certifications. CMMC was announced first in January 2020. It aimed at over 300,000 DIB companies to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from the various cyber threats.
What is CMMC 2.0?
The first version of CMMC had five compliance security levels; level 1 (Basic), level 2 (intermediate), level 3 (Good), level 4 (proactive), and level 5 (advanced). Each level added an extra protection layer to any company that adhered to it.
However, small businesses found having the 5 levels of CMMC too expensive. As a result, on 4th November 2021, CMMC 2.0 was released. CMMC 2.0 changed the number of levels from five to three, updating and consolidating the previous standard.
What Is New In CMMC 2.0?
CMMC 2.0 framework will use a more targeted and simplified approach in securing sensitive information. The new standard consolidated some security tiers of the CMMC model, removing levels 2 and 4 and their related maturity practices.
In CMMC 1.0, tier 1, 3, and 5 requirements were based on guidance from FAR (Federal Acquisition Regulation) and NIST. The requirements for tiers 4 and 2 weren't based on the existing federal guidance. CMMC formulated them. The removal of the CMMC-unique processes and practices in CMMC 2.0 aligns with NIST 800-171. Below are the three levels of CMMC 2.0 and the changes.
CMMC 2.0 Level 1(Foundational)
This level comprises those companies which are FCI and not CUI. The contractors at this level must adhere to the 17 "basic cyber hygiene" security measures of the NIST SP 800-171. Though the foundational level practices are the same as those under the original CMMC, the revised program does not require the contractors holding only foundational certification to get CMMC certification and assessment. In CMMC 2.0, a yearly self-assessment of the network practices per the requirements of NIST SP 800-171 will be sufficient for compliance. The contractors maintaining this certification level must calculate and upload an assessment score to the SPRS.
CMMC 2.0 Level 2 (Advanced)
Contractors in advanced or level 2 certification will maintain NIST SP 800-171 security controls. Level 2 is divided into two groups based on criticality levels of the information held by the contractor. Contractors holding Controlled Unclassified Information containing Critical National Security Information will have to be assessed by a third-party three times annually. The contractors holding non-critical information will be allowed to show compliance using self-assessments. The guidelines that DoD plans to use for measuring criticality is are not clear currently.
CMMC 2.0 Level 3 (Expert)
This level is parallel to level 5 of the original standard. It comprises contractors holding Controlled Unclassified Information and the most critical and highest priority defense programs. The contractors holding expert-level certification are required to be compliant with over 110 security practices of the NIST 800-172, which is still under finalization by DoD. The Department of Defense will assess level three contractors itself tri-annually.
Development Of Enforceable And Time-Bound POA&Ms
CMMC 2.0 now allows for enforceable and time-bound POA&Ms, that were not in the original CMMC standard. It enables the contractors without all the cybersecurity requirements during an assessment to continue working with the Department of Defense while implementing the remediation action plan to get certified in the future. The offer is limited to six months or 180 days.
Development Of Time-Bound Selective Waiver Process
There will be a waiver process to exclude the contractors from adhering to the select CMMC requirements for various mission-critical requirements in CMMC 2.0. The waiver will be for a limited period and d subject to approval by the senior leadership. The waivers will be for all the CMMC requirements with the approval of the senior leadership at DoD on a case-by-case basis. DoD expects contractors to use the waiver for time-critical acquisitions where CMMC would reduce mission-critical capabilities.
What Level Of CMMC 2.0 Does Your Company Require?
For organizations handling Federal Contract Information, they would need level 1. Contractors handling Controlled Unclassified Information, the level will be included in their request for solicitations and information. However, there will be no additional CMMC requirements for the contracts until the completion of the rule-making process.
CMMC 2.0 is here with many changes to the original version of CMMC. The formation of the Civil Fraud Cyber Initiative by the DOJ also informed the release of the revised version. Stay abreast with changes in the new standard and ensure your company uses the proper level when the official rule-making process is finalized. CMMC 2.0 will make operations in small businesses easier. To learn more about compliance and security, visit Cleared Systems.