Compliance 101

What You Need to Know about CMMC 2.0

CMMC 2.0 Model

Per the Undersecretary of Defense, the CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs.

According to the Federal Acquisition Regulation (FAR), FCI is defined as non-public information provided by or generated for the government under a contract to develop or deliver a product or service to the federal government. This does not include information provided by the government to the public (like on public websites) or simple transactional information. 

Similarly, CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government. A law, regulation, or policy requires or permits an agency to handle this information using safeguards or dissemination controls. The CUI Registry provides information on specific CUI categories and subcategories and can be accessed through the National Archives and DoD websites.

What is CMMC compliance?

The Department of Defense created an IT compliance program called the Cybersecurity Maturity Model Certification. This certification requires DoD contractors to implement security practices designed to protect Controlled Unclassified Information (CUI) & Federal Contract Information (FCI). 

Additionally, the CMMC program creates an assessment program designed to ensure that DoD contractors are implementing security practices.

CMMC 2.0 is the next iteration of the Department’s cybersecurity model. It streamlines requirements to three levels of cybersecurity – foundational, advanced, and expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.

Who needs a certification?

DoD contractors need a CMMC certification. Contractors will need a 2.0 certification around late 2022 or 2023.

When will the DoD require CMMC 2.0?

It will not become a contractual requirement immediately. However, after the DoD completes the rulemaking process for implementing CMMC, they will require certification. The DoD expects the rulemaking process to take anywhere from 9 to 24 months, bringing us to late 2022 or 2023.

How will an organization know if CMMC is required?

The DoD specifies the required level in the solicitation and in any Requests for Information (RFIs). Contractors pursuing DoD business opportunities need to be on the lookout for requirements.

How many contractors will need to comply?

Currently, the DoD expects to require CMMC for roughly 220,996 DoD contractors. They expect revised figures once the DoD submits the proposed model through the Federal Rulemaking Process.

CMMC maturity model 2.0

The Proposed 2.0 Model is the next iteration of the DoD’s Model. This update to the model is designed to:

Streamline the model by removing most of the net new requirements (practices & process maturity) introduced in CMMC 1.0. This leaves most contractors with implementing practices required under their existing IT Compliance requirements.

Reduce assessment costs by decreasing the number of contractors that will need a 3rd party certification.

1 Implementation required since 2016, under DFARS 252.204-7012
2 Implementation required since 2016 under FAR 52.204-21

What are the major changes?

The DoD outlined six major changes to CMMC 2.0.

Eliminates CMMC 1.0 Levels 2 & 4

CMMC 2.0 will reduce the number of levels from 5 to 3.

Reduces the number of contractors needing a 3rd party certification

CMMC 2.0 will only require some Level 2 contractors and all Level 3 contractors to obtain a 3rd party certification. In lieu of third-party certification, all other contractors can perform self-assessments.

Eliminates process maturity requirements

The DoD will not require contractors to implement policies, procedures, and other CMMC 1.0 process maturity requirements.

Reduces the number of practices

Eliminates all unique practices leaving only practices aligned to NIST 800-171 & NIST 800-172

Allows for the use of POAMS/remediation plans

CMMC 2.0 will allow contractors to successfully complete 3rd party certifications and self-assessments with a limited number of POAMs/remediation plans.

Creates a requirement waiver process

CMMC 2.0 will allow contractors to obtain waivers from the DoD for the entire requirement.

Who can assess CMMC?

After implementation, businesses with Level 1 or a subset of Level 2 programs can self-assess annually. The program requires third-party and government-led assessments for some Level 2 and all Level 3 programs on a 3-year cycle. 

The DoD will only accept CMMC assessments by an authorized and accredited C3PAO or certified assessor. 

Where can I find additional details?

Find additional details on the DoD’s CMMC website.