Key Updates in CMMC 2.0

The Department of Defense (DoD) announced on Nov 4th, 2021 that the Cybersecurity Maturity Model Certification (CMMC) version 1.0 will be replaced with a streamlined program called ‘’CMMC 2.0.’’

We’ll be discussing the key differences and how to ensure your organization should prepare now for CMMC 2.0 and when it goes into effect.

What’s Changed?

Streamlined Model

The previous CMMC version 1.0 model that had 5 levels has been simplified to 3 levels in CMMC 2.0, with the removal of Level 2 and Level 4.

Level 1 “Foundational’’ remains unchanged.

Level 2 “Advanced” is what Level 3 was formerly, but has been simplified to align with the 110 practices of NIST 800-171.

Level 3 ‘’Expert’’ is what Level 5 was formerly, with additional specifics on the number of practices to be defined by the DoD.

 Assessment Requirement

Depending on your compliance level, an annual self-assessment with affirmation from senior company leadership or a triennial assessment is required.

This differs from the previous CMMC version 1.0 requirements of triennial assessments across all levels but adds additional accountability with annual assessments and affirmation required from senior company leadership.

The DoD has yet to announce which companies in Level 2 will require triennial assessments from a third party or which ones will follow the self-assessment and affirmation process.

Limited Use of POAMs (Plans of Action and Milestones)

Under CMMC 1.0, organizations either met all practices or didn’t, and POAMs were not allowed. CMMC 2.0 will allow “limited use” of POAMs. The DoD has said that these will be strictly time-bound and limited in scope.

Potentially 180 days were offered as the timeline allowed for remediation of POAM items, however, the DoD also stated that POAMs would not be allowed for the highest weighted requirements.

What does this mean for a company looking at Level 2? Well, approximately 40% of the 110 NIST 800-171 controls that make up Level 2 are currently weighted as -5 point deductions on the NIST 800-171 assessment methodology.  So it is anticipated that those controls— nearly half of Level 2—would not be allowed to have POAM items.

Lastly, the DoD stated they would also establish a minimum assessment score that would be required to support certification with POAMs.

Timeline

Under CMMC version 1.0, requirements were to be phased into contracts between now and 2025.  However, with CMMC 2.0, the DoD has stated that requirements will take effect following a rulemaking period that is estimated to take between 9 and 24 months.

This means that at the earliest, we could expect CMMC 2.0 to take effect by September 2022 and at the latest, by December 2023.

The reality is that CMMC is not on hold, and the timeline may actually be speeding up with these new changes.  And while this may still appear to give some time for implementation, please remember that DFARS contract clauses -7012, -7019 and -7020 are still in effect and require NIST 800-171 compliance and self-assessments to be submitted to the Supplier Performance Risk System (SPRS).

SSE Can Help You Prepare Your Business

At SSE, we know these nuanced changes and requirements can feel overwhelming. As a Registered Provider Organization (RPO) with the CMMC-AB, we are up to speed on the latest changes.  Our team has the vetted IT tools, policy templates and assessment services mapped to NIST 800-171 and CMMC requirements to assist businesses on the road to compliance.

Let us demonstrate how we can help in preparing your business.  Schedule your complimentary CMMC Readiness Assessment to get started.