On November 4, the DoD announced a change in direction to their tiered CMMC (Cybersecurity Maturity Model Certification) Program. They are calling the changed program CMMC 2.0.
According to a DoD Press Release, the CMMC change in direction still keeps with its original goal of the program, while at the same time:
- Simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements
- Focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs
- Increasing DoD oversight of professional and ethical standards in the assessment ecosystem
From five levels to three for CMMC
Under the previous CMMC program – coined CMMC 1.02 – there were five levels of cybersecurity; under CMMC 2.0, Levels Two and Four were eliminated. That left three levels with new names:
- Foundational
- Advanced
- Expert
How the levels changed
Before the change, the five levels of CMMC were referred to as Certification Levels, the new three levels are now called Compliance Levels. Basic requirements for the new levels are:
Foundational – Level 1
At the first new level, companies in the DIB (Defense Industrial Base) that receive exclusive FCI (Federal Contract Information) will be required to reach this new assessment level (the same as the old Level 1), but instead of submitting to a 3rd party assessment can now provide a self-assessment annually to attest they are meeting the 17 basic cybersecurity practices of the FAR (Federal Acquisition Regulation).
Advanced – Level 2
At the second level (the former Level 3), DIB companies must achieve all requirements of the Foundational Level and if they have access to FCI and CUI (Controlled Unclassified Information) – of which none which is critical to national security – they must attain the all 110 controls in NIST SP-800-171, plus the additional 61 NFO control in Appendix E. Companies at this Advanced level without critical national security information access can also self-assess.
However, DIB companies having critical national security FCI and CUI information access must undergo assessment by the CMMC-AB assessment branch C3PAO. The majority of companies doing business with the DoD will be at this CMMC 2.0 Compliance Level.
Expert – Level 3
This new level replaced the old Levels 4 and 5. At the Expert Level, companies that access FCI and CUI, but are also subject to some or all of the 35 controls in NIST SP-800-172, will undergo assessment by the DOD itself. The estimate is this level will apply to only about 200 companies.
Exempt
While not a level itself, it is a new rule where companies that provide only Commercial Off-The-Shelf (COS) products are exempt from CMMC 2.0 requirements.
CMMC 2.0 Implementation Timeline
The DoD estimates it will take from nine to twenty-four months to implement the new CMMC 2.0 rules. Until then, no CMMC requirements will be included in DoD contracts and the current CMMC requirements planned this year for the 15 pilot contracts will be suspended.
However, in the interim, businesses that will have to attain some level of CMMC should use this time to start working toward their level of compliance based on the level they will need to attain.
Jesse Salazar, deputy assistant secretary of defense for industrial policy recently said of the change, “CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base. By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
