CMMC 2.0 has been released! Early Thursday morning, November 4th, a proposed rule was accidentally published on the Federal Register titled, ”Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward”. The associated document (Archived here) sent the CMMC ecosystem into overdrive as we awaited additional guidance. Three long hours later, Acquisition and Sustainment at the Office of the Undersecretary of Defense released new CMMC 2.0 content providing a deeper look at the changes, but also posing many new questions.
What happened to CMMC 1.0?
The initial document posted on the federal register had six key points about DoD requirement modifications for CMMC version 2.0: These modifications include:
- Eliminating levels 2 and 4 and removing CMMC-unique practices and all maturity processes from the CMMC Model”
Removal of “CMMC-Unique” practices and processes would appear to bring CMMC into direct alignment with NIST 800-171, however there has not been clarity on CMMC uniqueness vs NIST 800-171, 800-172. A quick review of the CMMC Errata shows many controls that draw upon non-NIST sources such as Center for Internet Security.
- Allowing annual self-assessments with an annual affirmation by DIB company leadership for CMMC Level 1
This is great news for organizations that only handle Federal Contract Information (FCI), as it removes the assessment burden and cost for organizations that do not touch Controlled Unclassified Information.
Bifurcating CMMC Level 3 requirements to identify prioritized acquisitions that would require independent assessment, non-prioritized acquisitions that would require annual self-assessment, annual company affirmation
CMMC Level 5 requirements are still under development
CMMC 2.0 level 3 (Which equates to CMMC 1.0 Level 5) will include NIST 800-172 controls.
Development of a time-bound and enforceable Plan of Action and Milestone process
- POAMS are back! (See below)
Development of a selective, time-bound waiver process, if needed and approved
- These Waivers will be for the entire CMMC requirement (not individual controls) and will be approved by senior DOD leadership on a case-by-case basis. The expectation is that these waivers will be used for time-critical acquisitions where CMMC requirements would reduce mission-critical capabilities.
What has changed with CMMC 2.0?
Plan of Actions and Milestones (POAMS) under CMMC Level 2.0
With CMMC 2.0, the DOD intends to once again allow contracts to be awarded with a Plan of Actions and Milestones (POAM) in place to complete CMMC requirements. There will be a number of mandatory controls needed for award, with additional controls understood to be addressed with a clearly identified timeline.
Understanding CMMC 2.0 Level 1
CMMC 2.0 Level 1 will include the 17 controls of CMMC 1.0 Level 1, a limited subset of NIST 800-171 meant for basic cyber hygiene. This will apply to organizations handling ONLY Federal Contract Information (FCI). The department sees this foundational level as an opportunity to engage contractors in developing and strengthening their cybersecurity posture. CMMC 2.0 Level 1 will be achievable with a self assessment.
Understanding CMMC 2.0 Level 2
CMMC 2.0 Level 2 includes the 110 controls of NIST 800-171. Level 2 will be split based on the criticality of the information held by the organization. For organizations deemed to hold CUI identified as Critical National Security Information a third party assessment will be required every three years. For select organizations an annual self assessment against these controls will be sufficient.
Understanding CMMC 2.0 Level 3
CMMC 2.0 Level 3 is still under development, but the official website lists 110+ practices based on NIST 800-172, which we discussed in our blog and video here. The most important thing to know is that assessments at level 3 will be completed by the government and not C3PAOs.
What CMMC 2.0 Level will my company require?
For FCI handling organizations, this is greatly simplified as Level 1, removing the old transitional level that might be required for FCI. For organizations handling CUI, the required CMMC level for contractors and sub-contractors will be specified in Requests for Information and Solicitations. No CMMC requirements will be added to contracts until the formal rule-making process is complete.
Timeline for CMMC 2.0
The DoD has specified that while the publication of CMMC 2.0 materials can be understood to reflect strategic intent, there will be no contractual requirements for CMMC 2.0 until formal rulemaking is complete. This process can take 9-24 months. (The time from the first published draft of CMMC to DFARS 7021 was approximately 22 months)
What You Should Do About CMMC 2.0
Keep on truckin’. Cybersecurity is not going away as a requirement, and it appears that CMMC 2.0 is meant to not only simplify compliance, but quite possibly accelerate it. There are additional considerations to drive continued development of your security programs.
- Remember that the entire defense industrial base is still subject to DFARS, and you already have contractual requirements to meet NIST 800-171 and DFARS 7012.
- The new DOJ Cyber-Fraud initiative announced on October 6th gives the DOJ the teeth and motivation to pursue false claims act charges against federal contractors who have not met their contractual cybersecurity requirements. (NIST 800-171 never went anywhere)
- Relax, but don’t be lax. The new clarity (and confusion) around CMMC 2.0 timelines means there is still time to get your house in order. The DFARS 7021 requirement to submit and maintain a NIST 800-171 self-assessment in the DOD’s Supplier Performance Risk System (SPRS) still stands.
What about ITAR, CDI, and Export Controlled CUI?
There is no change to ITAR, Export Controlled, or NOFORN labeled CUI handling. These requirements remain the same. See our blog on mapping CMMC 2.0 to Microsoft 365 Commercial, GCC, and GCC High to help understand these new compliance changes.
Help with Microsoft 306 and CMMC 2.0
If you need help bringing your Microsoft technology stack into alignment with CMMC 2.0, NIST 800-171, ITAR, DFARS, FedRAMP, and FISMA, please reach out for a free consultation. Agile IT is a CMMC Registered Provider Organization (RPO) as well as a Microsoft AOS-G partner capable of licensing, implementing, migrating and hardening Microsoft Commercial, GCC, GCC High and Azure Government.