CMMC 2.0: Changes, Levels and Updates


A Complete CMMC 2.0 Framework Guide

The Department of Defense (DoD) has recently (November 5th, 2021.) launched CMMC 2.0, a framework that aims to protect sensitive data from frequent and complex cyber-attacks. The CMMC 2.0 model is an upgraded version of CMMC 1.0, and it comes with different requirements DoD contractors and governmental agencies will need to follow.

Let Us Help You Achieve the CMMC 2.0 Certification?

You can count on IVTAS specialists to lead you through the process of understanding the CMMC 2.0 framework and adopting the best cybersecurity practices for elevated protection against emerging threats. Upon assessment, we’ll recommend the best practices to strengthen your security and become CMMC-compliant in the long run. Don’t hesitate to contact us for a free CMMC 2.0 compliance assessment and find the most efficient solutions to take your cybersecurity to the next level.

  • FREE initial cybersecurity assessment
  • Assessment report with a comprehensive security plan
  • The roadmap for achieving compliance, priorities, and milestones
  • Taking care of your cybersecurity infrastructure

What is CMMC 2.0?

The new CMMC model, also known as CMMC 2.0, is a newly adopted version of the CMMC 1.0 version the DoD released on November 5th, 2021. Its goal is to upgrade the company’s cybersecurity awareness and enforce the cooperation between the Department of Defense and the industries in fighting advanced cyber threats.

Which are the CMMC 2.0 Changes?

The CMMC 2.0 framework is characterized by streamlined requirements for safeguarding DoD information. The number of security tiers is no longer five, but three, and some recently added maturity practices will also be removed from the framework.

Third-Party Assessment is No Longer Required

The biggest change for DoD contractors is that CMMC will no longer require contractors to get a third-party certification if their work doesn’t include controlled unclassified data. This modification could significantly reduce the compliance cost for small businesses and contractors required to meet the Cybersecurity Maturity Model Certification.

The upcoming changes will only require prioritized contracts to go through third-party assessments. On the other hand, contractors handling controlled unclassified information (CUI) will be able to follow the CMMC 2.0 self-assessment guidelines.

Less Strict Requirements

Another great change in the CMMC framework refers to “Plan of Action and Milestone” (PoAM) reports. These reports give contractors that don’t meet all security controls more to prove that they’ll do it in the future.

This allows contractors to continue to work with the DoD even though they still don’t meet the necessary requirements. Besides, contractors will be able to pass an assessment and prove their compliance later.

Introducing CMMC 2.0 Levels

Unlike the first CMMC version, which included five maturity levels, the novel CMMC 2.0 requirements are summarized on three degrees:

  • Level 1 (Foundational): The foundational level requires contractors to adopt the 17 controls from NIST SP 800-171 and submit a self-assessment to the DoD through the SPRS (Supplier Performance Risk System) once a year.
  • Level 2 (Advanced): At this level, contractors must implement the 110 controls from NIST SP 800-171 and provide an annual self-assessment or a triennial independent assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO).
  • Level 3 (Expert): The DoD contractors should implement the 110 controls in NIST SP 800-171 and certain controls from NIST SP 800-172 before they undergo a triennial assessment led by the government. The third level of the CMMC 2.0 is still under development.

cmmc 2.0 changes

Microsoft and CMMC 2.0 Updates

With all the changes in the CMMC framework, contractors aren’t sure about whether they need GCC High to meet the CMMC 2.0 requirements. The answer is no – you don’t need GCC High to comply with certain CMMC 2.0 levels, but you’ll need it for other reasons. Namely, GCC High is required for contractors who manage, create, or hold some of the following data:

  • Export Controlled CUI
  • International Traffic in Arms Regulations (ITAR)
  • Export Administration Regulations (EAR)
  • CUI that requires US Sovereignty (CDI, FERC/NERC, NASA, NOFORN)
  • Criminal Justice Information Systems (Federal)

Benefits of CMMC 2.0

The key changes in the CMMC framework could significantly facilitate the process of achieving and maintaining compliance, as well as bring the following benefits:

  • More streamlined model: A more streamlined model of the CMMC 2.0 framework focuses on the most critical requirements, making it easier for contractors to understand and accept them.
  • Uses accepted cybersecurity standards: CMMC 2.0 aligns with the NIST cybersecurity standards, which are widely accepted nationwide.
  • Reduced assessment costs: The ability to prove compliance through self-assessment helps companies reduce costs.
  • Enhanced collaboration: Under certain circumstances, CMMC 2.0 allows companies to make Plans of Action & Milestones (POA&Ms) to get the certification.
  • More flexibility: The novel framework allows waivers to CMMC standards in specific situations.

CMMC 2.0: Key Takeaways

It’s vital to remember that cybersecurity, as a requirement, is not going away. Moreover, the ultimate goal of the CMMC 2.0 framework is to simplify the compliance process and help contractors become compliant more quickly.

Here are some important things to consider now that the CMMC regulations have changed:

  • Don’t forget that the defense industrial base is subject to DFARS, meaning that you’re already required to meet NIST 800-171 and DFARS 7012 requirements.
  • A recently announced DOJ Cyber-Fraud initiative allows the DOJ to pursue false claims act against federal contractors who fail to comply with NIST 800-171 cybersecurity requirements.
  • Although the CMMC 2.0 requirements give you more time to put everything in its place, it doesn’t mean that you should relax – remember that the DFARS 7021, NIST 800-171, and the requirement to submit a self-assessment report still stand.

CMMC compliance has always been a headache for small businesses, and opinions about its efficiency are divided. While some believe that CMMC could significantly augment cybersecurity levels inside a company, others think that it could penalize organizations that cannot afford to maintain compliance.

However, cybersecurity experts agree that CMMC 2.0 will strengthen the security of the defense industrial base. Since it fosters a more collaborative relationship between the DoD and the industries, the CMMC encourages the businesses to adopt the best cybersecurity practices to fight the most sophisticated cyber threats and become compliant much easier.

Get Closer to CMMC 2.0 Compliance with IVTAS MSSP

Although CMMC 2.0 has facilitated the compliance process, it doesn’t mean that cybersecurity has faded away. To ensure a safe working environment and enhance your collaboration with the DoD, get in touch with IVTAS cybersecurity experts and let us establish the most efficient cybersecurity solutions to fight emerging cyber threats like a pro.

Related Compliance Services