Cybersecurity Maturity Model Certification (CMMC) has undergone significant changes with the introduction of CMMC 2.0, a streamlined and updated version of the framework first introduced by the Department of Defense (DoD). This revision aims to simplify the compliance process, reduce costs, and ensure better accountability across contractors in the Defense Industrial Base (DIB) sector.
Understanding these updates is crucial for businesses that provide goods or services to the DoD. Whether you’re new to CMMC or already in the certification process, this article breaks down the key changes and clarifies what they mean for your business.
What is CMMC 2.0?
CMMC (Cybersecurity Maturity Model Certification) was created by the DoD to ensure its contractors meet specific cybersecurity standards to protect sensitive information. Initially introduced in 2020, the framework required all contractors to be certified to demonstrate compliance with safeguarding federal contract information (FCI) and controlled unclassified information (CUI).
CMMC 2.0, released in late 2021, builds upon the original while addressing some of the concerns raised by the DIB community. This new iteration aims to be less burdensome while maintaining robust cybersecurity requirements.
3 Key Updates in CMMC 2.0
1. Reduced Levels of Compliance
Under the original CMMC framework, there were five certification levels spanning from “Basic Cyber Hygiene” to “Advanced/Progressive.” This complexity has now been condensed into three levels:
- Level 1 (Foundational): Focuses on basic cybersecurity practices to protect FCI, aligned with the 17 practices in FAR clause 52.204-21.
- Level 2 (Advanced): Protects CUI and requires compliance with a subset of NIST SP 800-171 controls, amounting to 110 practices.
- Level 3 (Expert): Protects highly sensitive government information, with requirements expected to align with NIST SP 800-172 (further details are forthcoming).
By reducing the levels from five to three, CMMC 2.0 simplifies compliance requirements and makes it easier for contractors to understand their obligations.
2. Flexibility in Self-Assessment
CMMC 2.0 introduces more flexibility for Level 1 and some Level 2 contractors by allowing self-assessments in certain cases. Previously, all levels required third-party audits, which added time and cost to the process.
- Level 1 contractors can now self-certify annually, eliminating the need for third-party verification.
- Level 2 contractors working on less critical programs may also self-assess. However, contractors handling higher-priority projects must still undergo third-party certification.
This flexibility significantly reduces costs for small and mid-sized businesses that would otherwise need to engage a Certified Third-Party Assessor Organization (C3PAO).
3. Streamlined Process for Implementation
To encourage adoption, CMMC 2.0 has simplified and clarified the paths to compliance:
- Contractors can work towards compliance while still bidding for DoD contracts, as long as they provide a detailed Plan of Actions and Milestones (POA&M) outlining their plan to address any gaps.
- Waivers may be granted under specific circumstances, providing contractors with additional leeway to meet compliance requirements.
These changes aim to reduce the administrative burden on businesses, especially those navigating tight project timelines.
What Do These Changes Mean for Your Business?
For Small to Mid-Sized Businesses
If you’re a smaller contractor, the reduced levels and ability to self-assess for Level 1 can lower the cost and complexity of compliance. This can make it more feasible to bid on DoD contracts without being overwhelmed by certification requirements. However, it’s crucial to maintain accurate records and prepare for potential audits if your contracts involve sensitive information.
For Larger Businesses
For higher-level compliance (e.g., Level 2 and Level 3), you’ll still need to prepare for external audits. The streamlining of processes and clearer guidance can help your teams efficiently work towards compliance. Ensure your cybersecurity program aligns with NIST SP 800-171 and SP 800-172 to maintain eligibility for critical contracts.
Preparation is Key
Whether you’re required to self-assess or undergo third-party auditing, preparing early is essential. Conducting a thorough internal review of your current cybersecurity practices will help ensure your business is prepared for certification. Work towards addressing any gaps identified in your environment, and keep an updated POA&M for any unresolved issues.