As a DoD contractor, you already know the road to CMMC compliance is full of twists and turns. Now, amid concerns about the costs and complexities of the process, the DoD has overhauled the Cybersecurity Maturity Model Certification once again, launching CMMC 2.0 in November.
CMMC 2.0 is the DOD’s efforts to streamline and improve earlier CMMC compliance requirements, specifically by revamping the five maturity levels into three. CMMC 2.0 maintains the program’s original mission of protecting sensitive information, but offers several other advantages for some government contractors:
- Simplifies the standards.
- Minimizes barriers to compliance.
- Sets priorities for protecting DoD information.
- Provides additional clarity on regulatory, policy, and contracting requirements.
- Reinforces cooperation between the DoD and industry in addressing evolving cyber threats.
- Increases department oversight.
Collapse and Streamline of Levels
CMMC 2.0 still has a level 1, 2, and 3, but they are very different than the levels of CMMC 1.0. Levels 2 and 4 have been eliminated. Here’s a brief overview of what the new levels look like.
Level 1 mostly stays the same with 17 practices requirements, but third-party assessments are no longer required. Instead, an annual self-assessment will be required to certify compliance.
Level 2 (formerly level 3 in CMMC 1.0) will be aligned with the full 17 NIST 800-171 practices but eliminates all CMMC unique practices and processes. Assessments for Level 2 will be triennial third-party assessments for critical national security information and annual self-assessments for select programs.
Level 3 (formerly level 5 in CMMC 1.0) will use a subset of 100+ NIST 800-172 practices. Level 3 will require triennial government-led assessments.
The Interim Rule Is Still In Effect!
The Interim Rule is still in effect! NIST 800-171 Self-Assessment, SSP, POAM, and SPRS Score still stand. However, the timeline for contracts to include the CMMC level may possibly change from 2025 to 2023.
Confused yet? With the introduction of CMMC 2.0, it’s time to take a look at where you are now, what the new changes mean for your company, and where you need to go. SME can help you better understand 2.0 and how you can competitively position your organization by developing a plan on how to get there.