11/18/2021
November 4th 2021 the DoD announced CMMC 2.0 as the latest iteration of its new Cybersecurity & Compliance Framework for its contractors and the Defense Industrial Base (DIB) which introduced significant changes to the CMMC program it had started rolling out in with pilot contracts in early 2021. The recent changes were made to consider the feedback from industry and small businesses.
Compared to the CMMC 1.02 version of the framework there are noteworthy changes in four areas:
1) CMMC 2.0 Levels
A change towards simplifying the requirements is the reduction of the different CMMC Certification Levels from 5 to down to 3. The Levels 2 &4 from CMMC 1.02 were eliminated. As in the earlier version, CMMC 2.0 Level 1 is limited to the handling of Federal Contract Information (FCI). CMMC 2.0 Level 2 (former Level 3) allows for handling of FCI and Controlled Unclassified Information (CUI) in addition. The new CMMC 2.0 Level 3 combines the old Levels 4 & 5 and will apply to only a small set of companies. For more in-depth information see our CMMC 2.0 Compliance Levels page.
2) CMMC 2.0 Control Requirements
Overall, the control requirements have been scaled back to or close to the 110 controls in NIST SP 800-171.
CMMC 2.0 Level 1 Controls – Foundational Level
No changes have been made as compared to CMMC 1.02. 17 processes need to be implemented to fulfill this Foundational Level 1.
CMMC 2.0 Level 2 Controls – Advanced Level
The Control requirements were scaled back to the 110 controls of NIST SP 800-171 which were a requirement under DFARS 252.204-7012 (since 1.1.2018) and DFARS -7019 (since 11/30/2020) already. The planned additional 20 controls unique to CMMC 1.02 were eliminated. Bottom line: Under CMMC 2.0, this “Advanced” level will be equivalent to the NIST SP 800-171.
The requirements regarding documentation (policies, procedures etc.) are not explicitly mentioned any longer which might lead some to conclude that no documentation is needed any longer. However, a solid documentation was always required for a NIST SP 800-171 implementation as well so that this doesn’t represent a change.
CMMC 2.0 Level 3 Controls – Expert Level
In addition to the requirements from Level 2, CMMC 2.0 Level 3 will be based on a subset of NIST SP 800-172 requirements. This “Expert” level is currently under development.
3) CMMC 2.0 Assessment Requirements
The probably most controversial revision is regarding the changes to the assessment requirements. Only contractors of Level 3 and part of Level 2 will have to become certified. Those in Level 1 and the remainder of Level2 will be allowed to perform self-assessments.
CMMC 2.0 Level 1 Assessments
Contractors that will handle FCI exclusively (Level 1) will not be required to become certified any longer. Instead, they must provide an annual Level 1 self-assessment with an additional annual affirmation from a senior company official that the company is meeting requirements. The score of the self-assessment will have to be submitted to the Supplier Performance Risk System (SPRS) as well.
CMMC 2.0 Level 2 Assessments
This “Advanced” Level allows for managing CUI and is unique in the sense that the organizations required to achieve this compliance level are divided into two subsets which results in two different assessment requirements. The criterion that is used to categorize contractors into one of the subsets is if the information they handle is “critical to national security” or not. This will need to be clarified further by the DoD.
Level 2 – Subset 1:
Contractors that handle information NOT deemed critical to national security. These organizations can perform the annual self-assessments as the companies in Level 1.
Level 2 – Subset 2:
Contractors managing information deemed critical to national security. These companies will have to be certified and will be assessed by a Third Party Assessment Organizations (C3PAOs) which will be accredited by the CyberAB (former CMMC-AB).
CMMC 2.0 Level 3 Assessments
Organizations in the “Expert” level will have to become certified. At this level the certification assessment will be performed by government officials.
4) CMMC 2.0 PoA&M requirements
The initial version CMMC 1.02 did not allow for any open items in the Plan of Actions and Milestones (PoA&M) document. Now the DoD softened its stance and intends to allow companies to receive contract awards with a Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements. However, only low-risk items are allowed to be as open items on the list and there is a 180 day period in which the contractor will have to remediate the issue and become compliant. In addition, there will be minimum assessment scores required. All the highest-weighted NIST SP 800-171 controls will have to be implemented without exceptions at contract award.
Waivers
The DoD is considering CMMC waivers but made it clear that these would be issued on a very limited basis. These are for select mission-critical instances and require approval by senior DoD leadership. The waivers have a limited duration and need to be supported by mitigation strategies to reduce the risk to the CUI handled by the contractor.
Timeline
All these changes impact the CMMC implementation timeline and rollout which had started in early 2021 and has a 10/31/2025 deadline mentioned in DFARS 252.204-7021. Currently, CMMC 2.0 is in the rulemaking process which is expected to take 9-24 months. The DoD stated that it will not include CMMC requirements in contracts until this process has been finalized. Once completed, CMMC will be part of new DoD contract requirements.
Considering that implementation of CMMC requirements can take several months, the time to start the journey towards CMMC compliance is now.
How We Can Help
Ecuron has been receiving CMMC Registered Professional training from the Cyber AB to be among the first companies qualified to help you to become CMMC compliant. As a CMMC Registered Practitioner Organization™ (CMMC-RPO) and with engagements in more than 10 states under our belt, Ecuron is specialized in services designed to take you from your current status to full CMMC compliance in the most efficient way:
- CMMC Gap Analysis / CMMC Gap Assessment
See where your organization stands and what it takes to achieve compliance - CMMC Implementation Help
Based on the results of the first phase we will help you to close existing gaps by implementing suitable controls and any missing requirements. This includes developing and writing all documentation required. - CMMC Pre-Assessment
Think of it as a mock audit. We will verify that everything is in place, mature, and can be proven to an auditor. If we find issues we will help you fix them. If your company needs to be assessed by a C3PAO or DoD official we will recommend to schedule the final CMMC Assessment once we are confident that you are ready for it. - CMMC Assessment Support
If your company needs to be assessed by a C3PAO or DoD official we help you prepare for the audit, gather & organize evidence for a smooth assessment . We will be at your side throughout the process.