Federal

CMMC 2.0 What to Know, What to Do, and How to Prepare

November 15, 2021 • Jacob Nix

If you’re a government contractor or member of the Defense Industrial Base (DIB) at-large, you’re likely wondering about the ramifications of CMMC 2.0 and how they’ll affect your organization.

Fortunately, the Department of Defense’s months-long review of CMMC 1.0 has resulted in a more streamlined standard that, despite a number of key changes that will take immediate effect once the rulemaking process concludes, ultimately will help simplify programs across the DIB.

Here are two key changes brought forth by the CMMC 2.0, as well as key deliverables to consider.

What to Know

Less Levels

The most notable change with CMMC 2.0 is the reduction in Levels from 5 to 3.

Level 1 – 17 practices (aligned with FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems)

Level 2 – 110 practices (aligned with NIST SP 800-171 + Level 1 requirements)

Level 3 – 110+ practices (aligned with NIST SP 800-172 + Level 2 requirements)

As described, these levels are determined by required security practices and controls, NIST 800-171 and 800-172 in particular, rather than maturity processes as in CMMC 1.0.

Expanded Self-Assessment Eligibility

Under CMMC 2.0, organizations will be able to self-assess on a tiered status. That being said, the CMMC-AB will continue accrediting CMMC 3rd Party Assessor Organizations (C3PAOs), and the DoD will have more oversight into assessments, primarily at Level 3. The expanded self-assessment eligibility permitted under CMMC 2.0 includes:

Level 1 – Annual self-assessments, with company self-certification of compliance.

Level 2 – Two approaches: Triennial third-party assessments for “critical national security information” and annual self-assessments (as in Level 1) for other programs. Third-party assessments will be conducted by the C3PAOs.

Note: specific language clarifying requirements for each approach will be included in the contract, but for now, the distinguishing factors remain unclear.

Level 3 – Government-level assessments required from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

What to Do

While it could take up to a year for CMMC 2.0 to complete the federal rulemaking process, organizations would be wise to begin implementation procedures as soon as possible, given the provisions of CMMC 2.0 will be effective immediately upon approval. If you’re a member of the DIB, here are two simple ways to make sure you’re prepared for 2.0.

Align with the NIST 800-171

NIST 800-171 is now the law of the land. Since it will be the standard for both self and third party assessments under CMMC 2.0, the DIB community should ensure their protocols are as aligned as possible. For more sensitive DoD contracts and data, the same can be said for the NIST 800-172.

Consider early certification

Shortly after the DoD announced its changes to CMMC, it stipulated it may implement financial incentives for organizations who voluntarily submit for early CMMC 2.0 changes. If your organization was preparing for CMMC Certification under the original framework, applying for early 2.0 Certification may benefit you in more ways than one.

Want to learn more about how to prepare for CMMC 2.0? Get in touch with a member of our team below.