CMMC 2.0 is here! What changed? What now?

The Pentagon just announced CMMC 2.0, with sweeping changes to Cybersecurity Maturity Model Certification (CMMC) requirements. Here's what changed & how it impacts the DIB.
This article is written based on CMMC version 1.0, and may not reflect the updated requirements of CMMC 2.0.

For the latest information on CMMC 2.0, please click here.

On November 4th, 2021, the Department of Defense (DoD) announced changes to Cybersecurity Maturity Model Certification (CMMC) with the release of CMMC 2.0. More information will be released soon, but some of the changes from CMMC 1.02 to CMMC 2.0 are drastic (from the surface). Here is a high-level breakdown of what’s changing, and what you should be focused on moving forward.

First, and most importantly, organizations that contract with the DoD, while handling Controlled Unclassified Information (CUI) on non-federal systems, are still required to meet TODAY’S requirements (DFARS 252.204-7012, 7019 and 7020), which have nothing to do with CMMC. This needs to be said, as it seems to be getting lost in the complaining, celebrating, and noise-making of CMMC 2.0’s release.

Biggest changes from CMMC 1.02 to CMMC 2.0

  • CMMC 2.0 will consist of three (3) levels, versus the five (5) levels of CMMC 1.02. Levels 2 and 4 are no longer part of the model. Level 1, titled, “foundational” will consist of the 17 basic safeguarding controls of FAR 52.204-21. From a security controls standpoint, nothing changed there. Once CMMC 2.0 is in place (more on that below), those required to be CMMC Level 1 will be allowed to self-assess their cybersecurity posture (annually), with leadership sign-off, and enter their score in to the Supplier Performance Risk System (SPRS).
  • CMMC 2.0 eliminates all maturity processes. Practices are (again) the focus that needs to be put in place, based on the data that an organization handles (CUI vs non-CUI).
  • CMMC Level 2, titled “Advanced”, becomes the level for those handling CUI in non-federal systems. The 110 controls and 321 practice objectives of NIST SP 800-171 rev. 2 and NIST 800-171A are to be fully implemented, just as they were required to be prior to CMMC 1.02. CMMC 2.0 removes the “Delta 20” additional practices of CMMC Level 3 from 1.02. If NIST 800-171 is fully in place, the 20 additional practices aren't as difficult as many made them out to be. Does that mean they’re gone forever? Time will tell. We'll blog on that some other time!
  • CMMC Level 3, titled “Expert”, goes above and beyond NIST SP 800-171, to align with NIST SP 800-172, which is a more proactive set of controls that focuses preventing Advanced Persistent Threats (APTs). These assessments will be government-led (DIBCAC), yet no further information on what the means is available.
  • CMMC 2.0 will not go in to affect right away. Per the release of CMMC 2.0: “The changes reflected in CMMC 2.0 will be implemented through the rule-making process Companies will be required to comply once the forthcoming rules go into effect. The Department intends to pursue rule-making both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.” Also, DoD OUSD(A&S) currently estimates the rule-making process could take 9-24 months, which is unfortunate. Changes to CMMC Level 2 can (and likely will) go through some changes before all things are final.
  • Under CMMC 2.0, CMMC Level 2 will be bifurcated (divided) in to two groups: "Critical to National Security Information", and CUI that isn’t deemed as critical. The decision as to what businesses can perform self-attestation and which ones require a C3PAO is not completely clear. It may be if you handle data that meets the “Controlled Technical Information” (CTI) definition from DFARS 252.204-7012 and has DoD 5230.24 distribution statements B through F, then you may need a C3PAO assessment. Those who have been awarded to perform services on critical CUI contracts, will go through third-party assessments from C3PAOs tri-annually, while select programs will be allowed to self-assess annually. More information on this will come at a future date.
  • Plans of Action & Milestones (POA&M) will be allowed, however, will be "time-bound" and "enforceable.” This is where accountability of the contractor continues to stack up. This isn’t new to any contractor subject to DFARS and NIST SP 800-171. CMMC 1.02 put a lot of focus on strategic planning. The DoD wants to see how their suppliers plan to become compliant and a non-vulnerable piece of the supply chain. That won’t change due to the focus on accountability across the entire supply chain. The days of “kicking the can down the road” and “we’ll just POA&M it until we have to do it” are going away. Contractors will, for the sake of National Security, be hold accountable to their POA&Ms, or they'll likely face potential False Claims Act scenarios.
  • The DFARS Interim Rule (DFARS 252.204-7012, 7019 and 7020), which have nothing to do with CMMC, is still in effect. The only change is that CMMC Pilots are being put on hold, therefore DFARS 252.204-7021 will not be allowed to be in any contracts until CMMC 2.0 is in effect.
Get the facts about CMMC 2.0, speak with a NIST expert at Beryllium InfoSec today
Book Free Consultation

What to focus on now and moving forward

From the surface, it appears there were a lot of drastic changes from CMMC 1.02 to CMMC 2.0. However, when you look at what is required today vs what will be required in the future, things didn’t really change that much. NIST SP 800-171 is, and always has been, the backbone and associated focus of protecting the confidentiality of CUI. Under NIST 800-171, contractors are required to show policy and procedure documentation, to support their implementation. CMMC was originally developed to verify that the accountability of defense contractors was taking place, versus a self-assessing trust model that wasn't working.

Accountability is critical for the Defense Industrial Base

Through the early days of CMMC, to the DFARS Interim rule, and now the release of CMMC 2.0, it is blatantly clear that the DoD is putting as much accountability as they can on the supply chain. The DoD and tier-one contractors have a lot of accountability themselves, but to create a collaborative model, accountability is now required in areas it wasn’t previously. For example, CMMC has put a big emphasis on leadership buy-in and responsibility between the contractor and the providers it chooses to use to implement NIST SP 800-171, FAR 52.204-21, etc. Accuracy, planning, budgets allocated to resources, and proactive measures to hit the goals set forth, are met. More importantly, having a System Security Plan (SSP) that you can stand behind and defend, is what the DoD wants to see.

Not sure how the CMMC 2.0 impacts your organization? Get the facts

At Beryllium and cuick trac™, that’s what we do for our clients. We advise on first establishing where an organization is, today, in their compliance program. Focusing on current progress of implementing NIST SP 800-171, building the correct strategic plan to hit established timelines, and how the organization's managed compliance program stays in place, while threats and requirements continue to evolve.

For those who see CMMC 2.0 as a “victory” or a “told ya so!” moment, so they DON'T have to increase their cybersecurity requirements and compliance programs, they’re going to fall even further behind. Beryllium and cuick trac™ engage with organizations who are proud to be part of the DoD supply chain, and more importantly, understand that our national security is at risk. We will continue to be part of the solution!

If you’d like to discuss CMMC 2.0 in more detail and figure out the best path forward for your organization, contact us and speak with one of our cybersecurity advisors today.

Get the facts about CMMC 2.0, speak with a NIST expert at Beryllium InfoSec today
Book Free Consultation
Derek White
Chief Product Officer
Derek’s success comes from his customer first mentality, utilizing collaboration between security and technology, to create positive outcomes & compliant solutions.

Speak With a NIST Security Expert at Beryllium InfoSec Today

To reach us please fill out the form below.