The Dataprise Blog

What is CMMC 2.0?

Feb 16, 2022 BY DATAPRISE
Want the latest IT insights? SUBSCRIBE

What is CMMC 2.0?

CMMC refers to the Cybersecurity Maturity Model Certification, a program created for federal contracts by the Department of Defense (DoD). Designed to protect sensitive information, the requirements have recently been revamped to a 2.0 version. Learn more about what this means for contractors and why it’s so important to get ahead of this certification.

What Is CMMC?

CMMC is meant to assure the DoD that the security controls and protocols of federal contractors are sufficient to keep data, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), under the proverbial lock and key. The level an organization needs to meet will depend on its access to sensitive data.

The original CMMC featured five security levels:

  • Basic cyberhygiene: Follow safeguarding requirements in the Federal Acquisition Regulations (FAR).
  • Intermediate cyberhygiene: Meet 65 requirements in the NIST 800-171.
  • Good cyberhygiene
  • Proactive cyberhygiene
  • Advanced cyberhygiene

The last three levels require complete compliance with NIST 800-171 plus additional bespoke practices and processes depending on the organization in question.

The Evolution of CMMC

CMMC was introduced as an update to the cybersecurity regulations in the Defense Federal Acquisition Regulations Supplement (DFARS). The original rules were published as an interim, but required that most defense contractors and subcontractors would be certified by 2025 by a third party. After the Biden Administration conducted a review of the requirements, the government came out with version 2.0.

CMMC 2.0 has simplified the original five levels into three levels. It continues to allow for self-assessment with Level 1 and part of a divided Level 2. All other parties will need third-party certification. Contractors who handle CUI will also need to comply with the Defense Federal Acquisition Regulations Supplement (DFARS), a provision that lays out the general policies of the DoD and the relevant legal requirements for contractors.

What Is the Goal of CMMC 2.0?

CMMC 2.0 was created after Defense Industrial Base (DIB) companies expressed concerns about confusing rules and a corresponding lack of compliance. The certification requirements also posed a threat to small businesses, which led to a reduction in potential contractors for the DoD to choose. For instance, third-party certification is now no longer needed on Level 1, which may make it easier for leaders to satisfy regulations without impacting operations.

The Three Levels of CMMC 2.0

The new levels of CMMC 2.0 are:

  • Level 1: The main change is that company leaders are allowed to certify compliance on an annual basis.
  • Level 2: Companies must maintain NIST 800-171 compliance, though some of the other compliance measures have been eliminated. In addition, some contractors may be able to self-assess depending on the circumstances.
  • Level 3: Requires full compliance with 800-171 and at least some compliance with 800-172. Certification by a third party is required.

Who needs CMMC certification? As you might be able to tell from the description of Level 2, this question still seems up for debate.

How Can You Prepare for CMMC 2.0?

If you’re concerned about CMMC compliance, we highly encourage you to get ahead of this requirement. The projected estimate is that CMMC 2.0 will go live anywhere from 9 months to 2 years from now, but there's no reason to wait until the last minute.

While the new rules are designed to simplify things in theory, the actual dividing lines in terms of levels and self-assessments are anything but straightforward. Plus, even if you are solidly at Level 1, it can be a good idea to have a third-party take a look at the efficacy of your security. In other words, getting certified now can be the best move you ever made.

Watch "CMMC 2.0 Myths Busted".
Information Security
Want the latest IT insights? SUBSCRIBE