DoD Announces CMMC 2.0: “Ok, ok… we’ll only audit some of you.”
Nov. 5th, 2021
On November 5th, 2021, the Department of Defense released its plans to modify the CMMC program. The changes, which many view as a win for DIB small businesses, has been branded CMMC 2.0.
Changes to the Model
One of the first notable changes is a reduction in levels.
CMMC originally contained 5 levels.
Version 2.0 reduces the total to 3 levels.
Level 1 remains unchanged as “basic cyber-hygiene”. Level 2 is now the complete requirement-set of NIST 800-171 (replacing the original CMMC Level 3). And Level 3 now represents some amalgamation of the former Levels 4 and 5.
It’s likely most contractors that handle CUI/CDI will now be aiming for Level 2.
Level 1 CMMC 2.0 Level 1
Level 3 CMMC 2.0 Level 2
Level 5 CMMC 2.0 Level 3
Changes to the Requirements
Under the new model, the additional 20 ( “delta” ) practices that did not exist in NIST 800-171 have been removed.
This should slightly reduce the dollars and hours it takes to achieve compliance with CMMC level 2.
DoD has also stated it plans to remove the processes side of CMMC altogether (cue angelic singing).
CMMC v1.0’s processes were essentially a list of must-have policies and procedures. This doesn’t necessarily mean CMMC 2.0 will not require documented policies of some sort, but more focus will be placed on implementation of the practices.
Lastly, POAMs are back.
That’s right, you can now get by with deficiencies, provided you have documented, detailed plans to correct those deficiencies. There’s mention of a list of requirements that POA&Ms won’t be accepted for as well as a time limit, but the specifics have not been provided.
Changes to Certification Award
Levels 1 and 2 of the new model will no longer require every contractor to undergo a 3rd party audit.
This is arguably the biggest change in CMMC 2.0.
This means that many DIB companies need only self-attest that they’ve effectively implemented CMMC requirements, similar to the current DFARS 800-171 clause. Those self-attesting will still need a System Security Plan, Plan of Action and Milestones and an up-to-date SPRS score. CMMC 2.0 will require contractors to formally self-attest annually, though we’re unsure what exactly that process will look like.
It’s worth noting that some Level 2 contractors will still need to undergo an audit, specifically if their contract exposes them to critical national security information. All level 3 contractors will need to undergo an assessment led by the government itself.
What We Don’t Know
CMMC 2.0 won’t be a contractual requirement until the Department progresses through the rulemaking process and codifies CMMC 2.0 in DFARS. This process can take 9-24 months.
Some sort of incentive program is being constructed to encourage organizations to start early, but no details are provided at this time.
CMMC AB’s Role
Under CMMC 1.0, the CMMC Accreditation Body was tasked with overseeing CMMC audits and auditor training. Last week, the government indicated it was renegotiating its contract with the AB. If the AB remains involved in CMMC, we expect their role to be reduced as the government becomes more involved in the execution and operation of the program.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy said in a release. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”