In the latest iteration of its new Cybersecurity Compliance Framework for its contractors, the Department of Defense (DoD) announced CMMC 2.0, as well as the Defense Industrial Base (DIB). CMMC 2.0 introduced significant changes to the CMMC program. The DoD started rolling out pilot contracts in early 2021 and incorporated feedback from the industry and small businesses to make relevant changes to the programs.
There are significant changes to these areas:
The requirements were simplified by reducing CMMC Certifications levels from five to three. Levels 2 and 4 from CMMC 1.02 are no longer part of the certification process. Similar to Level 1 in the previous version, CMMC 2.0 Level 1 is limited to the handling of federal contract information (FCI) while CMMC 2.0 Level 2 (former Level 3) allows the handling of FCI and controlled unclassified information (CUI). The new CMMC 2.0 Level 3 combines the old Levels 4 and 5, and will only apply to a small set of companies. For more in-depth information, see our CMMC 2.0 Compliance Levels page.
There are significant changes to these areas:
The requirements for CMMC 2.0 have been scaled back to or close to the 110 controls in NIST SP 800-171.
CMMC 2.0 Level 1 Controls – Foundational Level
These requirements are the same as the older CMMC 1.02’s 17 processes. Foundational Level 1 will be fulfilled once these processes are implemented.
CMMC 2.0 Level 2 Controls – Advanced Level
The Control requirements were scaled back to the 110 controls of NIST SP 800-171, which were a requirement under DFARS 252.204-7012 (since 1.1.2018) and DFARS -7019 (since 11/30/2020) already. An additional 20 controls unique to CMMC 1.02 were proposed but they have not been implemented at this level.
Under CMMC 2.0, this “Advanced” level will be equivalent to the NIST SP 800-171. The requirements regarding documentation (policies, procedures, etc.) are not explicitly mentioned anymore, which might lead some to conclude that no documentation is needed here. However, solid documentation was always required for NIST SP 800-171 implementation as well, so it will still be expected.
CMMC 2.0 Level 3 Controls – Expert Level
In addition to the requirements from Level 2, CMMC 2.0 Level 3 will be based on a subset of NIST SP 800-172 requirements. This “Expert” level is currently under development.
Only contractors of Level 3 and part of Level 2 will have to become certified. Those in Level 1 and the remainder of Level 2 will be allowed to perform self-assessments.
CMMC 2.0 Level 1 Assessments
Contractors that will handle FCI exclusively (Level 1) no longer require certification. Instead, they must provide an annual Level 1 self-assessment with an additional annual affirmation from a senior company official that the company is meeting requirements. Their score in the self-assessment should be submitted to the Supplier Performance Risk System (SPRS) as well.
CMMC 2.0 Level 1 Assessments
This “Advanced” Level allows for managing CUI, and the organizations required to achieve this compliance level are divided into two subsets with two different assessment requirements. Contractors fall into one of two subsets: those that handle information “critical to national security” and those who don’t. This will need to be clarified further by the DoD.
Level 2 – Subset 1: Contractors that handle information NOT deemed critical to national security. These organizations can perform the annual self-assessments as the companies in Level 1.
Level 2 – Subset 2: Contractors managing information deemed critical to national security. These companies will have to be certified and will be assessed by a CMMC Third-Party Assessment Organization (C3PAOs )accredited by the CMMC-AB.
CMMC 3.0 Level 1 Assessments
Organizations in the “Expert” level must be certified. At this level, the certification assessment will be performed by government officials.
The initial version, CMMC 1.02, did not allow for any “open items” in the Plan of Actions and Milestones (PoA&M) document. The DoD has softened its stance and intends to allow companies to receive contract awards with a POA&M in place to complete CMMC requirements. However, only low-risk items can be added as “open items” on the list, and there is a 180-day period in which the contractor will have to remediate the issue and become compliant. Another additional requirement is the minimum assessment scores. All the highest weighted NIST SP 800-171 controls will have to be implemented without exceptions at contract award.
The DoD might issue CMMC waivers, but expressed that these would be issued on a very limited basis for select mission-critical instances and require approval from senior DoD leadership. The waivers have a limited duration and must be supported by mitigation strategies to reduce the risk to the CUI handled by the contractor.
All these changes impact the CMMC implementation timeline and rollout, which started in early 2021 and will end on October 31, 2025, as mentioned in DFARS 252.204-7021. Currently, CMMC 2.0 is in the rulemaking process, which is expected to take 9–24 months.
The DoD will not include CMMC requirements in contracts until this process has been finalized. CMMC will be part of new DoD contract requirements once completed. Considering that the implementation of CMMC requirements can take several months, the time to start the journey toward CMMC compliance is now.