The Department of Defense (DoD) unveiled a major revision of the CMMC 1.0 program on November 4, 2021. The new framework, named CMMC 2.0, is still being developed and is not yet officially available, leaving many Defense Industrial Base contractors and subcontractors with a lot of worries about how they’ll need to react.
The CMMC security program has undergone significant adjustments.
While CMMC 2.0 will succeed CMMC 1.0, the primary purpose of the new framework remains the same: to secure FCI and restricted unclassified information (CUI). CMMC 2.0: Assessment Simplified and Streamlined was created to simplify and expedite the review process.
The number of accreditation levels are reduced from five to three.
The new version has removed CMMC-specific maturity procedures and practices.
Levels 2 and 3 criteria are aligned with NIST Special Publication (NIST SP) 800-171 and 800-172 regulations from the National Institute of Standards and Technology.
Allows POAMs as well as waivers to be used.
The substantial modifications to the CMMC program and how these improvements would affect DIB contractors are detailed in this article.
CMMC 2.0 Level 1
There is currently no material provided on the precise practices or controls required at each tier of CMMC 2.0. The new levels’ compatibility with other government mandates and widely established standards, on the other hand, provides firms with a rough notion of the sorts of security services required to comply with the upgraded CMMC regulation framework.
Contractors who administer FCI but not CUI are classified as Foundational/Level 1 contractors. They will be required to apply FAR 17, the Federal Acquisition Regulation’s 17 most fundamental cybersecurity principles, which focus on physical safety and administrative control. While this is the lowest degree of compliance, putting these controls in place is difficult, and firms should be cautious when doing so.
Level 2 (Advanced)
Contractors who handle FCI and CUI, whether crucial or less vulnerable to national security, are included in this category. They must install many more measures than they did in Level 1, including the 110 cybersecurity measures outlined in NIST SP 800-171. Access control, identity and verification, understanding and orientation, and other topics are covered.
The good news is that NIST SP 800-171 is the sole Level 2 compliance standard. Contractors are no longer required to follow the specific security measures outlined in CMMC 1.0. However, because NIST has disclosed intentions to revise the standard, the number of rules and procedures that businesses are required to apply may change.
Level 3 (Expert)
This category includes large primary vendors and organizations that work on extremely sensitive national security initiatives. They deal with CUI that might jeopardize public safety, which is why they are liable to much tighter regulations than Level 2 employees. Level 3 vendors must incorporate 35 sophisticated measures in relation to the 110 controls from NIST SP 800-171, which are developed from NIST SP 800-172.
Given this knowledge, DIB contractors should adopt NIST SP 800-171 controls as soon as possible to position themselves for when CMMC 2.0 becomes a binding contract.…