CMMC 2.0 Changes – What it means for
DoD Contractors

Overview

In the latest iteration of its new Cybersecurity Compliance Framework for its contractors, the Department of Defense (DoD) announced CMMC 2.0, as well as the Defense Industrial Base (DIB). CMMC 2.0 introduced significant changes to the CMMC program. The DoD started rolling out pilot contracts in early 2021 and incorporated feedback from the industry and small businesses to make relevant changes to the programs.

There are significant changes to these areas:

2. CMMC 2.0 Control Requirements

The requirements for CMMC 2.0 have been scaled back to or close to the 110 controls in NIST SP 800-171.

• CMMC 2.0 Level 1 Controls – Foundational Level

  These requirements are the same as the older CMMC 1.02’s 17 processes. Foundational Level 1 will be fulfilled once these processes are implemented.

• CMMC 2.0 Level 2 Controls – Advanced Level

  The Control requirements were scaled back to the 110 controls of NIST SP 800-171, which were a requirement under DFARS 252.204-7012 (since 1.1.2018) and DFARS -7019 (since 11/30/2020) already. An additional 20 controls unique to CMMC 1.02 were proposed but they have not been implemented at this level.

  Under CMMC 2.0, this “Advanced” level will be equivalent to the NIST SP 800-171. The requirements regarding documentation (policies, procedures, etc.) are not explicitly mentioned anymore, which might lead some to conclude that no documentation is needed here. However, solid documentation was always required for NIST SP 800-171 implementation as well, so it will still be expected.

• CMMC 2.0 Level 3 Controls – Expert Level

  In addition to the requirements from Level 2, CMMC 2.0 Level 3 will be based on a subset of NIST SP 800-172 requirements. This “Expert” level is currently under development.

3. CMMC 2.0 Assessment Requirements

Only contractors of Level 3 and part of Level 2 will have to become certified. Those in Level 1 and the remainder of Level 2 will be allowed to perform self-assessments.

• CMMC 2.0 Level 1 Assessments

  Contractors that will handle FCI exclusively (Level 1) no longer require certification. Instead, they must provide an annual Level 1 self-assessment with an additional annual affirmation from a senior company official that the company is meeting requirements. Their score in the self-assessment should be submitted to the Supplier Performance Risk System (SPRS) as well.

• CMMC 2.0 Level 1 Assessments

  This “Advanced” Level allows for managing CUI, and the organizations required to achieve this compliance level are divided into two subsets with two different assessment requirements. Contractors fall into one of two subsets: those that handle information “critical to national security” and those who don’t. This will need to be clarified further by the DoD.

  • Level 2 – Subset 1: Contractors that handle information NOT deemed critical to national security. These organizations can perform the annual self-assessments as the companies in Level 1.

  • Level 2 – Subset 2: Contractors managing information deemed critical to national security. These companies will have to be certified and will be assessed by a CMMC Third-Party Assessment Organization (C3PAOs )accredited by the CMMC-AB.

• CMMC 3.0 Level 1 Assessments

  Organizations in the “Expert” level must be certified. At this level, the certification assessment will be performed by government officials.

4. CMMC 2.0 PoA&M requirements

The initial version, CMMC 1.02, did not allow for any “open items” in the Plan of Actions and Milestones (PoA&M) document. The DoD has softened its stance and intends to allow companies to receive contract awards with a POA&M in place to complete CMMC requirements. However, only low-risk items can be added as “open items” on the list, and there is a 180-day period in which the contractor will have to remediate the issue and become compliant. Another additional requirement is the minimum assessment scores. All the highest weighted NIST SP 800-171 controls will have to be implemented without exceptions at contract award.