What is CMMC 2.0?
Cybersecurity Maturity Model Certification (CMMC) 2.02 (commonly referred to as 2.0) is the current cybersecurity certification standard the Department of Defense (DOD) is defining through the rulemaking process. There will be changes to Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. There will be a public comment period for the rule changes. During the rulemaking process, DOD will suspend the current CMMC efforts and will not include CMMC requirements in any of the DOD solicitations. It is estimated the CMMC 2.0 rule making process will take nine to 24 months to complete.
DOD has made some concessions with CMMC 2.0, notably in the areas related to subcontractors and plans of action and milestones (POAMs).
Subcontractors will only be required to comply with the CMMC level based upon the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that flows down from the prime contractor. For example, if the prime contractor handles CUI but only requires the subcontractor to handle FCI and no CUI, then the subcontractor is only required to comply with the Level 1 Certification requirements.
POAMs will be allowed. Under CMMC 1.0, if there were any issues identified, the supplier failed and was not certified. Under CMMC 2.0, issues will be documented as a POAM and the risk associated with the issue will be assessed. DOD is still defining what is an acceptable POAM and the minimum score level that must be obtained on the certification.
How do CMMC 2.0 levels differ from CMMC 1.0?
Level 1 (Foundational) – Suppliers handling only federal contract information (FCI).
Organizations will still be required to implement the same 17 NIST SP 800-171 practices as CMMC 1.0. Organizations will be required to submit an annual self-certification, and will not be required to obtain a third-party certification. These self-assessments must include an affirmation by a senior company official.
Level 2 (Advanced) – Suppliers handling Controlled Unclassified Information (CUI).
All suppliers that handle CUI are required to implement the new Level 2 standard. Level 2 is now equal to the current 110 NIST SP 800-171 practices and any future changes. DOD will work with NIST to add any further requirements via updates to SP 800-171.
The DOD has decided there are two classes of CUI, specifically that some CUI is critical to national security and some is not. DOD will use the rule making process to define what CUI is not critical to national security. This information will be included in the rule making.
Suppliers handling CUI which is not critical to national security will be required to implement the 110 NIST SP 800-171 practices and submit an annual self-certification with an affirmation by a senior company official. Third-party certifications are encouraged but not required. DOD may provide some incentives for suppliers who voluntarily obtain a third-party certification.
Suppliers handling CUI that is critical to national security will be required to implement the 110 NIST SP 800-171 practices and obtain a third-party certification. Suppliers must obtain a third-party assessment every three years. DOD is looking to develop acceptance standards between CMMC and other assessments such as the NIST SP 800-171 DOD Assessment Methodology and the GSA Federal Risk and Authorization Management Program (FedRAMP) requirements for commercial cloud service offerings.
Level 3 (Expert) – Suppliers for the highest priority most critical defense programs.
Suppliers in this category are required to implement the 110 NIST SP 800-171 practices plus selected practices from NIST SP 800-172. The full set of practices for Level 3 is in the process of being defined. These suppliers will be required to undergo government-led assessments.
McKonly & Asbury is on the path to obtain certification as the C3PO Assessor Organization by mid-2022. Visit our CMMC webpage or contact us today with any questions or to schedule an initial consultation.