Coming Soon: The CMMC 2.0

In a surprise move, there will be a Cybersecurity Maturity Model Certification (CMMC) 2.0. Earlier this week, the Pentagon released a CMMC 2.0 update, which at first glance, appears to be more streamlined than its predecessor.

In 2019, the Department of Defense announced a new cybersecurity compliance framework — the Cybersecurity Maturity Model Certification or CMMC. The CMMC requires that every DoD contractor maintain a uniform set of cybersecurity standards in order to execute and bid on contracts, and, importantly, access DoD systems.

However, CMMC requirements will not be included in DoD contracts until CMMC 2.0 completes the rulemaking process, which takes anywhere from 9 to 24 months. Upon the completion of the rulemaking process, CMMC 2.0 will become an official contract requirement. This also means that all current CMMC pilot work is suspended.

It appears the Pentagon received quite a bit of feedback regarding CMMC 1.x and the need for changes to the program. These changes include reducing the cost of implementation, an increase in the trust of the assessment process, and further clarification about requirements. That feedback led to a review and overhaul of the CMMC program that resulted in CMMC 2.0

After reviewing the changes, I really like the new CMMC 2.0. It appears to be simpler and straightforward, plus it allows for waivers and the use of Plan of Action & Milestones (POA&Ms) in lieu of meeting all requirements from the start.

There are now three levels of CMMC compliance as opposed to five. Here's a quick breakdown of those three levels:

• Level 1 will require 17 practices and an annual self-assessment.

• Level 2 will require 110 practices aligned with NIST SP 800-171, and either an annual self-assessment or a tri-annual assessment by a CMMC 3rd Party Assessment Organization (C3PAO). The assessment type will depend on the criticality of the information being handled.

• Level 3 will require 110+ requirements based on a subset of NIST SP 800-172 and a government-led, tri-annual assessment. The exact Level 3 requirements haven’t been fully decided and will be released in the future.

I mentioned the allowance for waivers. Yes, that is now a part of CMMC 2.0. It wasn’t an option in CMMC 1.x. So far what we know is that the U.S. Department of Defense intends to allow limited waivers to exclude CMMC requirements entirely for sake of time-critical acquisitions, which may reduce mission-critical capabilities. You can also submit POA&Ms if you need more time to attain compliance, which is a welcome change.

So, what do these changes mean for you, the learner? They mean CMMC should cost less to implement based on the level of compliance you're aiming for. It also means that you don’t necessarily have to meet all of the requirements from the start. You can submit a POA&Ms in lieu of meeting all requirements. 

Lastly, you’ve got nine months or so of additional time to become compliant before CMMC 2.0 goes live. Let's get out there, perform gap analysis, implement changes, and become CMMC compliant!

In case you're wondering, there are plans to update my current CMMC training to align with CMMC 2.0. So keep your eyes open for those updates!