November 19, 2021
CMMC 2.0 is Here: 6 Key Updates
On November 4, 2021, the Department of Defense (DoD) released the much-anticipated updates to the Cybersecurity Maturity Model Certification (CMMC), dubbed “CMMC 2.0”, following a comprehensive review of over 850 public comments in response to the interim rule establishing CMMC 1.0. The updates simplify the program and reduce it in both scope and expectations, making it easier to understand and more feasible for contractors.
While the simplifications may be welcome, the updates are also confirmation that the requirement for contractors to comply with CMMC is fast approaching. The DoD has indicated that CMMC certification will become a contractual requirement once they finalize the rulemaking between August 2022 and November 2023.
In this article, we’ll go over six key updates from CMMC 1.0 to CMMC 2.0, what you can expect next, and how you can start preparing.
What changed in CMMC 2.0?
Key revisions from CMMC 1.0 to CMMC 2.0 include simplifying the level structure and changes to the required security practices (aka controls), assessment process, certification process, and evidence requirements.
1. Levels are simplified and reorganized
CMMC 1.0 was structured around five levels, including two transition levels. In CMMC 2.0, the DoD removed those two transition levels, simplifying the structure to: “Foundational” (previously Level 1), “Advanced” (previously Level 3), and “Expert” (previously Level 5).
2. Controls are aligned with NIST
CMMC 1.0 used security controls from the National Institute of Standards and Technology (NIST) and introduced 46 additional practices that were specific to CMMC. In CMMC 2.0, those extra practices are eliminated, and the program now only uses NIST 800-171 and NIST 800-172 practices.
3. Process maturity requirements are eliminated
CMMC 1.0 required contractors to demonstrate that they had implemented the security practices and a certain level of process maturity to be certified. In CMMC 2.0, the process maturity requirements are eliminated, meaning contractors only have to demonstrate process implementation to be certified.
4. Self-assessments make a comeback and government-led assessments are introduced
CMMC 1.0 required contractors to be certified by a CMMC Third-Party Assessment Organization (C3PAO). In CMMC 2.0, self-assessments make a comeback and government-led assessments are introduced. For Level 1, contractors will be required to conduct annual self-assessments. For Level 2, contractors will be required to conduct self-assessments annually, be certified by a C3PAO every three years for prioritized acquisitions, or both depending on the contract. For Level 3, all contractors will be certified by a government-led assessment every three years.
5. Plan of Actions & Milestones (POAM) makes a comeback
CMMC 1.0 required contractors to have all practices implemented to be certified at Level 3 and Level 5. In CMMC 2.0, contractors may be granted the ability to implement time-bound (<180 days) POAMs to achieve full certification. Each contract will vary, but the DoD will specify which practices can be included as part of the POAM.
6. Limited waivers are introduced
CMMC 1.0 did now allow contractors to waive the CMMC requirements. In CMMC 2.0, the DoD will allow contractors, on a case-by-case basis and with senior leadership approval, to waive certain or all requirements under a specified timeline and associated risk mitigation plan. Such exemptions are expected to be limited, so contractors shouldn’t defer their preparations for CMMC certification based on the assumption they will be granted a waiver.
Do I need to comply with CMMC 2.0?
All suppliers in the Defense Industrial Base (DIB) will need to comply with the relevant requirements of CMMC 2.0 when the rulemaking is finalized—likely between August 2022 and November 2023. In the meantime, contractors should continue to prepare for certification. Learn more with our guide, The Step-by-Step Guide to Prepare for a CMMC Certification.
Additionally, contractors are still required to comply with the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule, which was released on September 29, 2020. The interim rule requires contractors to conduct a NIST 800-171 Basic Assessment using the DoD Assessment Methodology and submit their score into the Supplier Performance Risk System (SPRS). Learn more with our guide, The Complete Guide to the NIST 800-171 Basic Assessment.
How does SaltyCloud help?
SaltyCloud offers Isora GRC, a Governance, Risk, and Compliance (GRC) Assessment Platform that makes it easier for contractors to meet the cybersecurity requirements of the CMMC. It provides the ability to conduct assessments against the prescribed security frameworks (e.g., NIST 800-171, NIST 800-172, etc.), collect evidence, access dashboards, and export compliance reports and Plans of Action and Milestones (POAMs). SaltyCloud is a CMMC Registered Provider Organization (RPO). Learn more about Isora GRC.
The CMMC 2.0 updates simplify the program and reduce it in both scope and expectations, making it easier to understand and more feasible for contractors.
The updates also indicate that the DoD fully intends to deploy CMMC, with certification becoming a requirement in 2022 or 2023. Contractors should continue to prepare for certification and meet the requirements of the DFARS Interim Rule.
Getting CMMC certified takes time and preparation. This guide covers the five practical steps to go from zero to certified
This comprehensive guide covers everything you need to know about the NIST 800-171 Basic Assessment and the steps you can take to build a compliance process.
Scoping FCI & CUI is a necessary step to make NIST 800-171 & CMMC compliance more feasible and cost-effective. Read the Complete Scoping Guide.
This complete CMMC guide will review everything contractors need to know about CMMC, including its structure, requirements, and certification process.
CMMC 2.0 is Here: 6 Key Updates
The Department of Defense has released CMMC 2.0, introducing several new updates. Here are the six key takeaways contractors need to know
The DFARS Interim Rule came into effect on September 29, 2020, and it affects Higher Education Institutions that conduct DoD-sponsored research