The evolution of CMMC is here - introducing CMMC 2.0

Welcome to the Evolution of Cybersecurity Maturity Model Certification – CMMC 2.0

Back in September, we wrote a blog about the Cybersecurity Maturity Model Certification (CMMC) program. In it, we explained how the Department of Defense introduced CMMC in 2019 to strengthen cybersecurity standards for Department of Defense (DoD) contractors. 

CMMC builds a set of cybersecurity requirements into acquisition programs. It’s designed to help provide the DoD with confirmation that firms within the Defense Industrial Base (DIB) are meeting those requirements.  

Why a Change from CMMC 1.0 to 2.0? 

In 2020, the DoD published an interim rule to the Defense Federal Acquisition Regulation Supplement, or DFARS, in the Federal Register. Now referred to as CMMC 1.0, the interim rule implemented the department’s vision for the program and outlined the program framework.  

This interim rule, which went into effect in November of 2020, included a five-year phase-in period. 

Four months after the effective date, the DoD conducted an internal review of the CMMC implementation. It also fielded hundreds of public comments, through which people voiced their concerns. Among them, was that smaller DIB contractors may struggle to meet the complex CMMC requirements because of the cost. 

Modifications Made to CMMC Program 

As a result of the General Accounting Office and industry feedback, the Defense Department overhauled the CMMC program. Then, in November of 2021, it rolled out CMMC 2.0. With it, the DoD is adjusting the CMMC structure and requirements to make it simpler and easier to achieve compliance.  

For example: 

  • They’ve streamlined the model from five to three compliance levels, to focus on the most critical requirements. It will incorporate the National Institute of Standards & Technology (NIST) cybersecurity standards. 
  • Instead of 171 practices, there are now 130. This aligns Level 2 practices with NIST SP 800-171
  • They’re reducing assessment costs by allowing companies at Level 1 (and some at Level 2) to demonstrate compliance via self-assessments. Oversight of professional and ethical standards of third-party assessors is also being increased. 
  • In certain instances, some companies may make Plans of Action & Milestones, or POA&Ms, to achieve certification; as well as waive some CMMC requirements. 

CMMC 2.0 Rulemaking and Timeline 

As with CMMC 1.0, the DoD will build in a public comment period and solicit input from industry stakeholders. According to a recent Federal News Network article, DoD estimates the rulemaking process will take between nine and 24 months. 

Right now, the Defense Department is suspending the current CMMC piloting program. As a result, it won’t approve the inclusion of a CMMC requirement in any DoD solicitation.  

In addition, the department is weighing the idea of bestowing financial and other incentives upon contractors, to get them to improve their cybersecurity posture in advance of the rollout of CMMC 2.0. 

SP6 Can Help You With CMMC 

As a CMMC Registered Provider Organization (RPO), SP6 understands the Cybersecurity Maturity Model Certification program. Our team of CMMC registered practitioners can work with your organization to navigate this complex program.

Though some CMMC 2.0 criteria have yet to be announced, SP6 strongly suggests your organization work toward full compliance with NIST 800-171. Put your information in the current Supplier Performance Risk System (SPRS), so the DoD can view the progress you’re making.  

While some technology companies can solve for parts of CMMC, SP6 is taking a holistic approach and offering expertise in all aspects of CMMC. This way, we can ensure you meet all the necessary requirements. To discover how we can help you with CMMC, contact us to schedule a free consultation.