CMMC 2.0 Model

Share 0
Tweet 0
Share 0
Table of Contents

Home     |     Steps to Compliance     |     Understanding CMMC

minutes remaining

This post contains information regarding the CMMC 2.0 model.

The DoD is in the process of writing rules to clarify the changes made in CMMC 2.0. This could take 9-24 months to complete. Meanwhile, DoD recommends that contractors work toward compliance with NIST SP 800-171 as the required controls can take months to implement.

The Cybersecurity Maturity Model Certification (CMMC) program was created by the U.S. Department of Defense (DoD) in order to improve the cybersecurity efforts of the national defense supply chain. This regulatory compliance program incorporates three levels of fundamental cybersecurity requirements into the acquisition and contract process. The CMMC 2.0 model requirements provide greater assurance to the DoD that defense contractors and subcontractors are taking measures to protect sensitive controlled unclassified information (CUI) within their systems.

As a precursor to CMMC, the DoD released a DFARS amendment, (DFARS Case 2019-D041), or the DFARS Interim Rule. The rule establishes requirements for the reporting of NIST SP 800-171 self-assessment compliance scores and remediation beginning November 30, 2020.

See DFARS Rule 2019-D041

What was the CMMC 1.0 Model?

CMMC 2.0 replaced the original 1.0 model in November 2021. Read about CMMC 2.0.

The government’s initial approach to improving the fundamental security controls within the Defense Industrial Base (DIB) required compliance with NIST SP 800-171 through DFARS 252.204-7012. Contractors had to self-attest to compliance with the 110 controls outlined in the publication. However, when self-attestation with NIST SP 800-171 was deemed lacking, the government released what is now referred to as “CMMC 1.0” in early 2020.

Complex Model

This version of CMMC contained five “maturity levels,” requiring that contractors with access only to federal contract information (FCI) certify at Level 1 and implement 17 controls. Next, those with access to any amount of CUI had to certify at Level 3 and implement 130 controls, 20 of which were CMMC-specific and added to the foundational 110 NIST SP 800-171 controls. Finally, certain companies subject to increased CUI protection had to certify at Level 5 and implement 171 controls. Levels 2 and 4 were transition steps to Levels 3 and 5, respectively. No company could certify at Level 2 or 4.

Mandatory Third-Party Certification

Unlike NIST SP 800-171, CMMC 1.0 did not offer the option to self-attest to compliance in order to qualify for a contract. Instead, each contractor whose system contained any amount of CUI needed an assessment by a Certified Third-Party Assessor Organization (C3PAO). With an estimated 300,000 contractors affected by the regulations and only five C3PAOs available to perform assessments (as of November 2020), the DoD quickly realized that their initial goals were unsustainable.

The certification process was originally planned to begin as C3PAOs became available. In an effort to minimize barriers to program implementation, the DoD began its internal review of the program in March 2021. Ultimately, this review led to the announcement of major program changes in November 2021: CMMC 2.0.

What is the CMMC 2.0 Model?

The DoD announced changes to its new cybersecurity model on November 4, 2021. Introducing several changes that build on and refine the original program requirements, the CMMC 2.0 model includes three key features:

  • Tiered Model: Companies entrusted with national security information, depending on the type and sensitivity, must implement cybersecurity standards at progressively higher levels. The program also establishes a procedure for information flow down to subcontractors.
  • Assessment Requirement: CMMC assessments enable the DoD to confirm the implementation of clear cybersecurity standards.
  • Implementation through contracts: Once requirements are fully implemented, certain DoD contractors who handle sensitive unclassified DoD information must meet a specific CMMC level as a condition of contract award.

Streamlined Model

CMMC 2.0 changes the model from five to three compliance levels, taking out the “stepping stone” Levels 2 and 4. Now, the model aligns with widely accepted National Institute of Standards and Technology (NIST) cybersecurity standards.

CMMC 1.0 Levels

  • Level 1 (Basic)
  • Level 2 (Intermediate, Transition Stage
  • Level 3 (Good)
  • Level 4 (Proactive, Transition Stage
  • Level 5 (Advanced/Progressive)

CMMC 2.0 Levels

  • Level 1 (Foundational, same as 1.0)

  • Level 2 (Advanced, previous Level 3)

  • Level 3 (Expert, previous Level 5)

CMMC 1.0 Requirements

  • Cybersecurity standards and maturity processes at each level
  • Cybersecurity requirements contain 110 NIST SP 800-171 practices and CMMC-unique practices

CMMC 2.0 Requirements

  • Cybersecurity standards only, eliminates maturity processes
  • Eliminates CMMC-unique security practices
  • Level 2 will mirror NIST SP 800-171 (110 practices)
  • Level 3 will be taken from NIST SP 800-172 requirements

Failure to meet any qualifications required by a level will result in a lower level of certification and loss of DoD contract eligibility.

More Access to Certification

CMMC 1.0

  • Contractors certifying at Levels 1, 3, and 5 had to undergo a C3PAO assessment for certification

CMMC 2.0

  • Only organizations certifying at Level 3 and a portion of those at Level 2 need a third-party assessment
  • All Level 1 organizations, and some Level 2 organizations, may submit an annual self-assessment to prove compliance
  • Under certain limited circumstances, companies may submit a Plan of Action and Milestones (POA&M) to achieve certification 
  • Some companies may qualify for CMMC requirement waivers under certain limited circumstances

Rulemaking

The rules to implement CMMC 2.0 are forthcoming. This could take anywhere from 9-24 months to complete. The DoD said that “CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program”1. However, the DoD and cybersecurity service providers recommend that contractors work toward compliance as the required controls take months to implement.

Sources

1 https://www.acq.osd.mil/cmmc/model.html

https://www.acq.osd.mil/dpap/policy/policyvault/USA002524-20-DPC.pdf

https://www.acq.osd.mil/cmmc/about-us.html

https://cmmcab.org/marketplace/?search_category=headline&q=&search_method=contains&cat=38

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Never Miss a Post

Sign up to be updated with the newest CMMC Insights.

Approx. 2 emails per month. Read our Privacy policy.

>