January 2022 Updates to CMMC 2.0
The Department of Defense (DoD) has released additional information regarding CMMC 2.0 and the specifics surrounding the Level 1 and Level 2 Assessment Guides.
We’ll be discussing these key updates and how your organization can prepare now for when CMMC 2.0 goes into effect.
Brief Overview of CMMC 2.0
Simply put, CMMC 2.0 is a streamlined version of CMMC 1.0, featuring three levels instead of the previous five levels.
With this new structure comes additional accountability surrounding how often and who must affirm a company’s compliance with regulations. Depending on your compliance level, an annual self-assessment with affirmation from senior company leadership or a triennial third-party assessment is required.
For more in-depth information on the key updates of CMMC 2.0 from November 2021, check out our previous blog post.
CMMC 2.0 Assessment and Scoping Guides
In this latest update from the DoD, the department outlined 2 critical factors in defining a NIST 800-171 Assessment: Scope and Assessment.
Scope is defined as the assets within your environment that need to be assessed in order to comply with NIST 800-171 standards, while Assessment is the overall objective to comply with NIST 800-171 and CMMC standards. Within the Assessment factor, they have outlined Assessment Complexity and Assessment Methods.
Assessment Complexity is made up of these four parameters. For each control, you must define these:
- Specifications: policies, procedures, security plans
- Mechanisms: what kind of tool you use to access and process Controlled Unclassified Information (CUI) or Federal Contract Information (FCI)
- Activities: protection related actions that involve people (ex. Contingency plans)
- Individuals: people who apply the specifications
The Scope and Assessment Guides differ for Level 1 “Foundational” and Level 2 “Advanced.” We’ll outline the differences below:
Level 1 “Foundational” Scope
This level is for organizations who store, process and transmit FCI only. This includes people, technology, facilities and external service providers.
Level 1 “Foundational” Assessment Guide
There are 17 controls that must be met for CMMC Level 1, and these are detailed in a 54-page Assessment Guide.
Level 2 “Advanced” Scope
This level is for organizations who handle Controlled Unclassified Information (CUI). Certification can be obtained for an entire enterprise network, a segment of that network or an enclave.
There are now five categories that specific assets fall into:
- CUI Assets
- Security Protection Assets
- Contractor Risk Managed Assets
- Specialized Assets
- Out of Scope Assets
Level 2 “Advanced” Assessment Guide
The Level 2 assessment consists of 110 controls (including the controls outlined for Level 1) and is detailed in a 271-page Assessment Guide that includes 320 objectives that must be completed by Certified Assessors and/or contractors looking to conduct their own assessment.
Thinking of a DIY Assessment?
Based on our past engagements, we’ve found an average discrepancy between companies scoring themselves against NIST 800-171 and having an outside, evidence-based assessment conducted of -95 points.
Submitting NIST 800-171 scores that are inaccurate or CMMC assessments not completed in good faith could put your business at legal and financial risk under the False Claims Act.
2022 Planning and Steps to Compliance
To prepare your company for 2022 and achieve NIST 800-171 and CMMC compliance, we recommend getting started with an initial Readiness Assessment. And then, a detailed Gap Assessment to establish your baseline, ensuring your organization has time to plan and budget for any necessary work needed to fulfill requirements.
Consider a Readiness Assessment a “gut check” of where your organization currently lands on compliance. A Gap Assessment is a useful way to identify each specific gap in compliance as well as an accompanying Plan of Action and Milestone (POAMs) needed to meet compliance.
We recommend scheduling these engagements NOW to prepare yourself for 2022 and beyond.
SSE Can Help You Prepare Your Business
SSE has the vetted IT tools, policy templates and assessment services mapped to NIST 800-171 and CMMC requirements to assist businesses on the road to compliance.
Let us demonstrate how we can help in preparing your business. Schedule your complimentary CMMC Readiness Assessment to get started.
Need to Meet CMMC Compliance?
Schedule Your CMMC Readiness Assessment
Fill out the form below to start the process