The Department of Defense (DoD) revealed numerous revisions to the Cybersecurity Maturity Model Certification (CMMC) program, now known as CMMC 1.0, on November 4, 2021. The new framework, CMMC 2.0, results from the Department of Defense’s months-long organizational study of CMMC 1.0’s execution and substantial revisions to the system’s overall planning.
While the initial system’s priority focuses on protecting critical national security data, CMMC 2.0 improves on it by simplifying CMMC security requirements and defining cybersecurity regulation, strategy, and procurement criteria.
Businesses implementing the highest-priority initiatives should be subjected to the most stringent cybersecurity requirements and evaluation criteria.
Enhancing DoD monitoring of third-party evaluators’ moral and technical requirements.
CMMC 2.0’s main characteristics
Many of the contentious features of CMMC 1.0 have been removed, including maturity procedures, limitations on plans of action and milestones (POAMs), and, in some situations, the requirement for third-party approvals. The accompanying improvements aim to streamline the model, lower evaluation costs, and allow for more versatile deployment.
Lower degrees of compliance
CMMC 1.0 included five levels of improving adherence, with Stages 2 and 4 serving as transitional stages. There will only be three stages in the new prototype:
Level 1 (Foundational): This level is primarily unaltered, mandating organizations to follow 17 fundamental cybersecurity procedures in order to secure federal contract information (FCI). Except now, instead of obtaining verification from CMMC Third-Party Evaluation Agencies, the DoD will enable enterprises to do yearly self-assessments for compliance (C3PAOs).
Specialized Level 2: Like CMMC 1.0’s Level 3, the new Level 2 is based on the National Institute of Standards and Technology Special Publication or NIST SP 800-171 guidelines, which mandate 110 cybersecurity practices. The Department of Defense will demand vendors to get triennial assurances from C3PAOs for contracts involving restricted unclassified information (CUI). Otherwise, self-evaluations per year would be sufficient.
Level 3 (Expert): The revised Level 3 is built on a subgroup of NIST SP 800-172 standards and roughly corresponds to Stages 4 and 5 of CMMC 1.0. A government-led evaluation committee, not a C3PAO, is required to perform triennial evaluations for Expert/Level 3 accreditation.
There are no maturity processes in place.
When regularly recorded, controlled, evaluated, and optimized, cybersecurity processes may be carried out more consistently and efficiently. As a result, the CMMC regulation 1.0 maturity stages assessed how well a company has integrated its practices into its ethos and processes. This gave the Department of Defense some assurance that contractors could safeguard sensitive data not only during an inspection but on all occasions.
Maturity procedures are entirely eliminated in CMMC 2.0. Because the majority of the criteria were previously covered in the NIST SP 800-171 guideline, they were considered redundant. Contractors would waste time on the administrative side of cybersecurity rather than concentrating on genuinely safeguarding national intellectual property if they followed the readiness process criteria.
There are no CMMC-specific practices.
CMMC 1.0 was distinct from previous cybersecurity frameworks in that its requirements included NIST SP 800-171 requirements and 20 unique practices aimed at making vendors more security aware.
Because CMMC 2.0 eliminates all CMMC-specific security procedures, the new framework will rely solely on practices outlined in other documents, primarily NIST SP 800-171 and NIST SP 800-172.