What is CMMC 2.0: Practice vs. Maturity Framework

What is CMMC 2.0

Aaron McCray, Ignyte’s Chief Operating Officer, is at the forefront of our mission to demystify what is CMMC 2.0. With a background as a commercial risk management leader and a distinguished role as a Commander in the U.S. Navy Reserves, his unique expertise positions him as a leading authority in the field of cybersecurity.

Aaron’s commitment to helping organizations navigate the complexities of cybersecurity standards extends beyond CMMC 2.0. He’s also well-versed in NIST 800-171, NIST 800-72, NIST 800-53, and the upcoming FedRAMP requirements. His dedication to enhancing the preparedness of organizations dealing with sensitive information is evident in his role at Ignyte, where he plays a pivotal part in raising awareness and readiness in the ever-evolving landscape of cybersecurity compliance.

In the video below, Aaron provides a concise yet comprehensive overview of what is CMMC 2.0, shedding light on the critical distinctions between Practice levels and Maturity levels. His insights offer valuable guidance to organizations aiming to fortify their cybersecurity posture in an increasingly digital and interconnected world.

What is CMMC 2.0 and Levels: Practice vs. Maturity

What is CMMC 2.0? When CMMC was first introduced by the DoD, its purpose was to “normalize and standardized cybersecurity preparedness across the federal government’s Defense Industrial Base or DIB.”

Essentially, they recognized a weakness in cybersecurity hygiene practices in their supply chain, and so CMMC became the standard the DIB would be “graded” by to ensure the protection of sensitive or Controlled Unclassified Information (CUI).

To achieve a given CMMC level, an organization must have demonstrated both the technical practices and maturity processes defined at that level.

Now, with the introduction of what is CMMC 2.0, the purpose has evolved to “building upon the initial CMMC framework to dynamically enhance the DIB’s cybersecurity practices against evolving threats”.

Ironically, it appears that the maturity processes have gone away remains to be seen how or if the DoD addresses “maturity” in the rulemaking process for 2.0. So, do we drop one of the “M’s” in CMMC? Seems silly, but I guess time will tell.

What is maturity anyway?

The “maturity portion of CMMC” came from the Capability Maturity Model Integration or CMMI process. Essentially, it is a behavioral model that helps organizations gain efficiencies in process improvement and encourage productive, effective behaviors that decrease risks in systems and processes.

CMMI was initially developed by the Software Engineering Institute at Carnegie Mellon University as a process improvement tool for projects or organizations. The DoD and U.S. Government helped develop CMMI, which became a common requirement for DoD and U.S. Government software development contracts.

You can start to see the correlation of CMMI and CMMC as it relates to awarding contracts for the DIB and ensuring their cybersecurity processes continuously improve.

What is CMMC 2.0 and Levels?

So, now that we understand the difference between practice levels and maturity levels, how does it apply to CMMC 2.0? What are the new CMMC levels organizations need to focus on?

In the old CMMC Model 1.0 – Organizations had to achieve a CMMC maturity level based on the sensitivity of the DoD information it handled, processed, stored, etc. While CMMC 1.0 was based on 5 levels, CMMC 2.0 has reduced those levels to three:

  • Level 1 – Foundational
  • Level 2 – Advanced
  • Level 3 – Expert

As with CMMC 1.0, the three levels are based on specified practices with increasing sophistication, each level including the practices from the previous level:

  • Level 1 – 17 practices (aligned with FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems)
  • Level 2 – 110 practices (aligned with NIST SP 800-171 + Level 1 requirements)
  • Level 3 – 110+ practices (aligned with NIST SP 800-172 + Level 2 requirements)

Tiered Level Assessments

And while CMMC 1.0 required third-party assessments for all levels, CMMC 2.0 has reduced the requirement for third-party assessments, leveraging self-assessments in certain circumstances:

  • Level 1 – Annual self-assessments will be permitted with company self-certification of compliance. It is my assumption that senior executives will have to sign off on these self-attestations.
  • Level 2 – is bifurcated: meaning that if your organization is deemed to handle “critical national security information” then a Triennial third-party assessment by a CMMC Third-Party Assessor Organizations (C3PAO) will be required. For all other organizations at this level, they can perform self-assessments, just like organizations at Level 1.
  • Level 3 – A government-level assessment will be required, likely by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Additionally, it is important to note that under certain circumstances, which have yet to be defined, the DoD intends to allow contractors to continue to utilize POA&Ms to achieve certification compliance as a prerequisite to receiving a contract award, provided they contain specific deadlines for completion of remaining items (e.g., 180 days or less).

The DoD has also included flexibility in requirements, intending to implement a process to waive CMMC requirements under certain limited circumstances. The specifics of those requirements will be implemented as part of the rulemaking process.

Let’s summarize What is CMMC 2.0 and Levels

In summary, CMMC 2.0 marks a significant shift in the certification landscape. Unlike its predecessor, it appears that the concept of maturity processes has been omitted, streamlining the focus on practice levels. With just three levels to consider, organizations can better tailor their efforts to meet the specific demands of their contracts and security requirements. Depending on the level you aim to certify, your certification path will differ, with options for self-assessment or third-party assessment by a C3PAO or the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This adaptability, along with a continued emphasis on NIST SP 800-171 & 172, represents a more agile and practical approach to cybersecurity certification in the evolving landscape of CMMC 2.0.

We value your engagement and are here to provide further clarity on these pivotal changes and the intricacies of what is CMMC 2.0 and its levels. Your questions and comments are not only welcomed but encouraged as they enable us to foster a deeper understanding of this evolving landscape. Feel free to reach out to us at info@Ignyteplatform.com, and our dedicated team of experts will be readily available to address your inquiries and provide the guidance you need to navigate the complex terrain of cybersecurity compliance. Your cybersecurity readiness is our priority, and together, we can ensure your organization’s resilience in the face of emerging threats and challenges.

Important Reference Links:

Stay up to date with everything Ignyte