CMMC 2.0 Overview: What Changed?

Posted by Ignyte Team

November 9, 2021

The Cybersecurity Maturity Model Certification (CMMC) is an emerging program created to ensure cyber protection of vulnerable Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) for companies within the Defense Industrial Base (DIB). 

By incorporating a set of cybersecurity requirements, this program enhances the data protection within acquisition programs and assures that Defense contractors and subcontractors are using secure measures while accessing and exchanging sensitive government information.

November 4, 2021, the Office of the Secretary of Defense (OSD) released an update to this program, CMMC 2.0. We will look into what changed, since CMMC 1.0 became effective on November 30, 2020, and what new requirements came to light with an amended version of this CMMC program.

3  Key Features That Remained Unchanged

  1. CMMC requires progressively advanced levels of cybersecurity standards implementation for those companies that are entrusted with national security information, depending on its type and sensitivity.
  2. Prime contractors are responsible for the process of information flow down to subcontractors.
  3. By 2026, DoD contractors that handle CUI and FCI are required to achieve a particular CMMC level as a condition of contract award.

Timeline

In September 2020, the Department of Defense (DoD) published an interim rule to DFARS in the Federal Register (DFARS Case 2019-D041) which implemented the DoD’s initial vision for CMMC 1.0. 

On November 30, 2020, the interim rule became effective, establishing a five-year phase-in period.

The DoD initiated an internal review earlier this year, based on more than 850 public comments in response to the DFARS rule. The internal review led to the refinement of the policy and CMMC program implementation and the recent announcement of the release of CMMC 2.0.

What changed?

For most organizations in the Defense Industrial Base (DIB), the only change is now they will be required to certify at Level 2 (previous Level 3 under CMMC 1.0). However, with the implementation of CMMC 2.0, the DoD has introduced fundamental changes (refer to figure 1) that build upon and refine the original program requirements that organizations should understand and plan for accordingly.

3 Levels instead of 5

CMMC 2.0 focuses on the most critical cybersecurity requirements, reducing the total number of certification levels from 5 to 3. It eliminates transitional levels 2 & 4 used in CMMC 1.0. The revised levels are marked accordingly as Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).

Protected CUI

Similar to its previous version, CMMC 2.0 is based on NIST Cybersecurity standards. Thus, the Advanced level will require full implementation of 110 NIST SP 800-171 CUI controls and the Expert level will include additional cybersecurity requirements found in NIST SP 800-172 to further protect CUI. 

It’s important to note that Level 2 removes 21 unique CMMC controls previously derived from various sources such as CERT RMM v1.2, NIST 800-53, NIST 800-171B, ISO 27002, CIS CSC 7.1, and others.

Reduced Assessment Costs with Higher Accountability

Organizations at the Foundational (Level 1) can now self-assess, while Advanced (Level 2) CMMC compliance requirements are a mix of self-assess for some programs and triennial 3rd-party audits for more critical or DoD-prioritized information. In addition, there will be an increase in oversight of professional and ethical standards for certified third-party organization (C3PAO) assessors.

Collaboration, Flexibility, and Speed

Under specific conditions, companies may receive waivers or obtain certification while having a Plan of Action and Milestones (POA&Ms) with the expectation that CMMC requirements will be met within a specific amount of time.

Ignyte shares changes to CMMC 2.0

CMMC 2.0 Certification Costs

CMMC 2.0 Certification Costs

With the release of CMMC 2.0, and the significant changes that come with it, we have to update our cost expectations.  This post...

Quick Guide on FedRAMP Fundamentals

Quick Guide on FedRAMP Fundamentals

The federal government enacted the FedRAMP regulation in December 2011 to enable executive agencies and departments to use an...

OSCAL and FedRAMP Automation

OSCAL and FedRAMP Automation

The current FedRAMP Authorization process is a struggle.  First, you must manage multiple regulatory standards and frameworks,...