Staying Current with CMMC 2.0

cmmc compliance

The Department of Defense (DoD) has made a number of changes to the Cybersecurity Maturity Model Certification (CMMC) program since its initial release in 2019. The most recent changes, which were announced in November 2021, are significant and will impact all DoD contractors. The most notable changes to CMMC 2.0 include:

Elimination of Levels 2 and 4: CMMC 1.0 had five levels of maturity, with Level 3 being the minimum requirement for most DoD contracts. CMMC 2.0 eliminates Levels 2 and 4, leaving only Levels 1, 3, and 5. The levels have not been renumbered to avoid conflicts with organizations that certified previously at levels 2 or 4.

Removal of CMMC-unique practices: CMMC 1.0 included a number of practices that were specific to the CMMC program. These practices have been removed from CMMC 2.0, and all requirements are now based on industry standards. The CMMC controls have been replaced with industry standard controls.

Reorganization of the CMMC Model: The CMMC Model has been reorganized in CMMC 2.0 to make it easier to understand and implement. The new model is divided into three domains: Foundational, Operational, and Advanced. The previous domains have been collapsed into just these three domains. Information System and Services Acquisition was removed because it was not considered to be a critical part of cybersecurity. Supply Chain Risk Management was removed because it was duplicative of other requirements in the CMMC model.

Changes to the assessment process: The assessment process for CMMC 2.0 has also been changed. Third-party assessors will now be required to use a new assessment guide, and the scoring system has been modified. Self assessment is available for level 1 certification. Organizations that choose to self-assess must still follow the same requirements as those who undergo third-party assessment, including completing a self-assessment guide and submitting an affirmation to the Supplier Performance Risk System (SPRS).

The changes to CMMC 2.0 are significant and will require DoD contractors to make changes to their cybersecurity programs. Organizations should begin planning for these changes now to ensure that they are prepared for the new requirements.

In addition to the changes mentioned above, the DoD has also announced a number of other changes to the CMMC program, including:

A delay in the implementation of CMMC: The DoD has delayed the implementation of CMMC until 2024. This delay will give contractors more time to prepare for the new requirements.

A new pilot program: The DoD is launching a new pilot program to test the new CMMC requirements. The pilot program will involve a small number of contractors and will provide the DoD with valuable feedback on the new requirements.

The changes to CMMC are a significant development for DoD contractors. Organizations should stay up-to-date on the latest changes and make plans to comply with the new requirements.

Note: This is an update to my previous blog post about achieving CMMC compliance.

Previous Post Next Post