What are the CMMC 2.0 Major Changes?
In November of 2021, the Pentagon announced the completion of its CMMC internal review. This announcement introduced CMMC 2.0, marking significant changes to the original model in the DFARS Interim Rule.
So what are these changes, and how do they affect your business?
CMMC 2.0 — What Has Changed? 2024 Update
The Department of Defense originally introduced Cybersecurity Maturity Model Certification (CMMC) to add stronger cybersecurity with greater accountability to the Defense Industrial Base (DIB). During its review phase, the standard received vocal criticism from smaller contractors. With the internal review now complete, it appears the DoD has taken those criticisms to heart.
What is CMMC Compliance?
Consulting Support for CMMC Compliance
At Core, we offer a modular approach to certification. We break the requirements down into two broad categories: organizational and technical. We provide NIST/CMMC training for your employees, your management, and your IT Team or MSP (if you outsource your IT needs).
We also help you with your guided self-assessment.
We will help you develop your System Security Plan (SSP), Plan of Action and Milestones (POAM), Roadmap, and budget. Core Business Solutions is a NIST/CMMC registered practitioner organization (RPO). Click to view CBS CMMC Consulting Offering Sheet Link.
Here are the biggest changes to CMMC:
1. No More Transition Levels
CMMC 2.0 brings a major structural change to the original model. CMMC 1.0 contained five maturity levels. The new version eliminates the transition levels, Level 2 and Level 4, simplifying the model to just three levels.
2. No More Third-Party Assessment for Level 1
If you only require CMMC Level 1, this is great news.
In the original version of CMMC, every maturity level required official assessment by a Certified Third Party Assessment Organization (C3PAO).
Now, businesses at CMMC Level 1 will not require such an assessment.
Instead, they will perform annual self-assessments with affirmation by senior leadership, submitted to the Supplier Performance Risk System (SPRS). This will save small contractors big money in assessment costs.
CMMC 2.0 Level 1 (Foundational) remains the required level for companies that don’t handle Controlled Unclassified Information (CUI) but only handle Federal Contract Information (FCI).
CMMC 2.0 Level 2 (Advanced) replaces the original CMMC Level 3. This is the required level for contractors who handle CUI. However, it only contains 110 of the 130 practices in the original Level 3. More on that is below.
CMMC 2.0 Level 3 (Expert) now contains the more stringent requirements of the original Level 5. Relatively few contractors will require this specialized level of cybersecurity.
3. Some Level 2 Companies Won’t Require Third-Party Assessment—Perhaps
This is perhaps the most nebulous change. The DoD has proposed a “bifurcation” of the original CMMC Level 3 requirements, prioritizing certain acquisitions for third-party assessment while allowing others to self-attest their compliance.
What exactly does this mean for your business? Until the government provides further clarification, it’s impossible to know for sure. In the meantime, it’s best to prepare as if all CMMC Level 2 companies (formerly Level 3) will require a third-party assessment.
4. No More Additional Practices
This directly affects contractors who handle CUI. The original CMMC requirements added 20 unique practices to the original 110 of NIST SP 800-171. The Department has now dropped these 20 additional requirements entirely.
110 practices still isn’t a small number, but this removes some of the burdens for CUI-handling contractors.
5. No More Maturity Processes
CMMC 2.0 no longer contains the maturity processes of the original version. This drastically cuts down the required documentation and removes much ambiguity from the old model.
6. Plan of Action and Milestones (POAM)
The previous version of CMMC required a 100% passing grade. Now, like previous DFARS requirements, contractors can submit a time-limited “Plan of Action and Milestones” to address specific areas of non-compliance.
This means you no longer need a perfect compliance score to receive certification. You can present a definite, time-framed plan to fill reasonable gaps in your compliance. After a period determined by the DoD, you will be re-assessed to ensure the POAM items have been remediated.
Please note that the DoD may consider some practices too essential for a POAM. Such items will still require full compliance.
This change should reduce much of the stress from the assessment process, providing a way forward if you don’t get a perfect score.
What This Means For You
It appears that the DoD has heard the concerns of small businesses and taken them seriously.
If you’ve been preparing for CMMC, these changes might feel overwhelming. But ultimately, they should make the process simpler and more affordable for small contractors.
CMMC still has not appeared in actual defense contracts.
The proposed changes will likely cause the rollout to take longer than previously expected. Even so, contractors must continue to meet the self-assessment requirements of the DFARS Interim Rule.
If you need CMMC Level 1 or Level 2 (formerly Level 3), these changes should offer some relief. You should not view these changes as a reason to pause your preparations. CMMC is still coming, and every contractor will need some level of certification, whether self-assessed or not.
Here’s a look at how Core Business Solutions can help defense contractors:
- Our compliance and cybersecurity consultants help you learn the requirements of CMMC and apply them to your specific context.
- We provide online training for your leadership, staff, and IT professionals.
- We assist your company with self-assessment and submission to SPRS.
- We assist your company in preparation for the third-party certification audit.
- For CORE subscribers, we deliver the technical security solutions required for certification, such as vulnerability scanning, penetration testing, email phishing testing, managed antivirus, managed patch management, secure data backup, secure file storage/sharing, and more.
- For CORE subscribers, we offer on-premise and cloud-based enclave solutions for secure, encrypted computing environments.
When you work with Core, you take the uncertainty out of CMMC. Give us a call at 866.354.0300 or contact us today for a free quote.
Core Business Solutions, established in 2000, is a Registered Practitioner Organization through the Cyber AB and has been providing consulting and technical solutions for NIST/CMMC for over 5 years. Rick Krick is the Director of Security Solutions for Core Business Solutions and directs our Cybersecurity Services solutions including CMMC. Rick has over 25 years of experience in Management System implementations, software development, IT services, and certifications.
