Less than two years after the US Department of Defense (DoD) publicly released the first version of its new Cybersecurity Maturity Model Certification (CMMC) framework, the DoD published a new document outlining a set of substantive revisions to the CMMC program. Though CMMC 1.0 was never fully implemented across the Defense Industrial Base (DIB), its rollout was far enough along for numerous stakeholders — including the third-party assessment organizations (C3PAO) responsible for certifying CMMC compliance and DIB vendors themselves — to have reported that they were experiencing bottlenecks that inhibited implementation.
As a result, in an update published on November 4, 2021, the DoD introduced a considerably simplified version of the regulation. The result, dubbed CMMC 2.0, continues the program in a trimmed-down form that’s still intended to raise the bar for cybersecurity in the DIB by introducing standardized processes and assessments. Ultimately, it’s hoped that CMMC 2.0 will help greater numbers of organizations serving the DoD to improve their preparedness and cyber resilience. The idea is that the new rule’s simplicity will spur compliance.
What’s New in CMMC 2.0?
CMMC 1.0 included five distinct assessment levels, ranging from “basic cyber hygiene” to “advanced/progressive.” Which certification level a DoD contractor was required to meet depended upon the specific kinds of information it would handle and the kinds of work it did.
In CMMC 2.0, the number of assessment levels has been reduced to three. There’s Level 1 (Foundational), Level 2 (Advanced) and Level 3 (Expert). In addition, the number of controls that are required to be implemented under each level has been decreased.
Another change is that CMMC 1.0 did not allow for self-attestation of compliance. Instead, suppliers had to engage an independent third-party assessor organization (C3PAO) to validate their compliance. And they could not demonstrate their intent to become compliant through an in-progress process by submitting a Plan of Action and Milestones (POA&Ms); adherence had to be fully implemented before certification.
CMMC 2.0 incorporates more flexibility than CMMC 1.0. At Level 1, an organization needs to demonstrate basic cyber hygiene across 17 safeguarding practices. Level 1 suppliers are now allowed to self-assess, though an executive within the business must attest to the organization’s level of compliance.
Level 2 organizations will need to demonstrate that they have implemented the standards outlined in NIST SP 800-171. This is a widely recognized standard that’s commonly applied in the DIB, but also used as a reference outside of it. Some Level 2 organizations will need to complete annual self-assessments, while others will need to certify compliance by engaging a C3PAO.
At Level 3, organizations will need to demonstrate compliance with NIST SP 800-171 as well as a subset of NIST SP 800-172. This includes additional foundational controls designed to support a defense-in-depth approach within an industry that’s been a favorite target of threat actors. Level 3 organizations will be required to undergo a specialized assessment performed by a government agency once every three years.
Unlike CMMC 1.0, CMMC 2.0 will allow for the use of POA&Ms under certain circumstances, provided that interim deadlines can be met.
Why the Changes?
The goal of the revisions to the CMMC regulation is to enable organizations within the DIB to take more of a “crawl, walk, run” approach to increasing their cybersecurity maturity. The new regulation will likely be more welcoming to those that didn’t have the competence to meet the old requirements. Because CMMC is squarely aligned with a familiar, well-defined standard (NIST SP 800-171) it should be easier for companies to implement. Over time, this should make it easier for more organizations to implement stronger controls and better processes, raising the bar everywhere.
More rules and refinements for CMMC 2.0 are still to come. As the DoD continues to release additional information, we’ll stay up to date.
BTB Security is not a Certified Third-Party Assessor Organization, but we are a CMMC Registered Provider Organization (RPO). This means that we’re listed in the CMMC Marketplace among organizations that can help DIB companies advance their CMMC compliance programs and prepare for assessments.
if you’d like to learn more about the differences between CMMC 1.0 and 2.0 (or the latest in DIB compliance requirements), schedule a free consultation with a member of our expert team. We’re here to help!