Late last week, the Pentagon announced the completion of its CMMC internal review. With this announcement came the reveal of CMMC 2.0, signaling major changes to the original model in the DFARS Interim Rule.
So what are these changes, and how do they affect your business?
CMMC 2.0 — What Has Changed?
The Department of Defense originally introduced Cybersecurity Maturity Model Certification (CMMC) to add stronger cybersecurity with greater accountability to the Defense Industrial Base (DIB). During its review phase, the standard received vocal criticism from smaller contractors. With the internal review now complete, it appears the DoD has taken those criticisms to heart.
Here are the biggest changes to CMMC:
1. No More Transition Levels
CMMC 2.0 brings a major structural change to the original model. CMMC 1.0 contained five maturity levels. This new version removes the transition levels—Level 2 and Level 4—creating a cleaner model with just three levels.
CMMC 2.0 Level 1 (Foundational) remains the required level for companies who don’t handle Controlled Unclassified Information (CUI) but only handle Federal Contract Information (FCI).
CMMC 2.0 Level 2 (Advanced) replaces the original CMMC Level 3. This is the required level for contractors who handle CUI. However, it only contains 110 of the 130 practices in the original Level 3. More on that below.
CMMC 2.0 Level 3 (Expert) now contains the more stringent requirements of the original Level 5. Relatively few contractors will require this specialized level of cybersecurity.
2. No More Third-Party Assessment for Level 1
If you only require CMMC Level 1, this is great news.
In the original version of CMMC, every maturity level required official assessment by a Certified Third Party Assessment Organization (C3PAO).
Now, businesses at CMMC Level 1 will not require such an assessment. Instead, they will perform annual self-assessment with affirmation by senior leadership, submitted to the Suppler Performance Risk System (SPRS). This will save small contractors big money in assessment costs.
3. Some Level 2 Companies Won’t Require Third-Party Assessment—Perhaps
This is perhaps the most nebulous change. The DoD has proposed a “bifurcation” of the original CMMC Level 3 requirements, prioritizing certain acquisitions for third-party assessment while allowing others to self-attest their compliance.
What exactly does this mean for your business? Until the government provides further clarification, it’s impossible to know for sure. In the meantime, it’s best to prepare as if all CMMC Level 2 companies (formerly Level 3) will require a third-party assessment.
4. No More Additional Practices
This directly affects contractors who handle CUI. The original CMMC requirements added 20 unique practices to the original 110 of NIST SP 800-171. These 20 additional requirements have now been dropped entirely.
110 practices still isn’t a small number, but this removes some of the burden for CUI-handling contractors.
5. No More Maturity Processes
CMMC 2.0 no longer contains the maturity processes of the original version. This drastically cuts down the required documentation and removes much ambiguity from the old model.
6. Plan of Action and Milestones (POAM)
The previous version of CMMC required a 100% passing grade. But now, as with former DFARS requirements, contractors can submit a time-bound “Plan of Action and Milestones” to cover certain areas of non-compliance.
This means you no longer need a perfect compliance score to receive certification. You can present a definite, time-framed plan to fill reasonable gaps in your compliance. After a period determined by the DoD, you will be re-assessed to ensure the POAM items have been remediated.
Note that some practices may be considered too essential for a POAM. Such items will still require full compliance.
This change should relieve a good deal of stress from the assessment process, offering a path forward if you don’t achieve a perfect score.
What This Means For You
It appears that the DoD has heard the concerns of small businesses and taken them seriously.
If you’ve been preparing for CMMC, these changes might feel overwhelming. But ultimately, they should make the process simpler and more affordable for small contractors.
CMMC still has not appeared in actual defense contracts. The rollout will likely take longer than previously expected as these proposed changes are finalized. Even so, contractors must continue to meet the self-assessment requirements of the DFARS Interim Rule.
If you’re expecting to require CMMC Level 1 or Level 2 (previously Level 3), these changes should bring some relief. But they shouldn’t be seen as a reason to stop preparing. CMMC is still on the way, and every contractor will still require some level of certification, self-assessed or otherwise.
Let Us Handle The Uncertainty
As always, Core Business Solutions is here to help. Our cybersecurity experts are committed to keeping you up-to-date on the latest CMMC changes. As a CMMC-AB Registered Provider Organization, we’re an officially recognized source of CMMC consulting help. We also have a growing team of CMMC-AB Registered Practitioners on staff, specifically trained to help you implement the requirements of CMMC.
We also offer technical solutions to help you meet NIST/CMMC requirements, such as self-assessment tools and secure FCI/CUI storage for CORE subscribers. Here’s a look at how Core Business Solutions can help defense contractors:
- Our compliance and cybersecurity consultants help you learn the requirements of CMMC and apply them to your specific context.
- We provide online training for your leadership, staff, and IT professionals.
- We assist your company with self-assessment and submission to SPRS.
- We assist your company in preparation for the third-party certification audit.
- For CORE subscribers, we deliver the technical security solutions required for certification, such as vulnerability scanning, penetration testing, email phishing testing, managed antivirus, managed patch management, secure data backup, secure file storage/sharing, and more.
- For CORE subscribers, we offer on-premise and cloud-based enclave solutions for secure, encrypted computing environments.
When you work with Core, you take the uncertainty out of CMMC. Give us a call at 866.354.0300 or contact us today for a free quote.