CMMC 2.0 - Major Changes for Contractors

Nov 11, 2021 7:00:00 AM |


Social Share:


Earlier this week, the Department of Defense and CMMC Accreditation Body released proposed changes to the CMMC implementation following a six-month review aimed at clarifying the standard, lowering the financial burden of compliance, and improving the program’s scalability. The overarching theme of the proposed changes is simplification. So, what’s new?


Simplifying the Model

CMMC 2.0 narrows the compliance levels from 5 to 3 named: Level 1 Foundational, Level 2 Advanced, and Level 3 Expert. In the updated model, Level 1 may access Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). Level 2 replaces the original Level 3 regarding access to CUI, and Level 3 replaces the original Level 5.



CMMC 2.0 proposes complete alignment with NIST SP 800-171 (Level 2) and NIST SP 800-172 (Level 3) and removes CMMC specific practices and processes from the model. This is meant to simplify the assessment process while staying true to the overall mission of securing the defense industrial base (DIB).



A third major departure from CMMC 1.0 is that CMMC 2.0 allows for organizations to self-assess. A self- assessment will be required for CMMC Level 1 Foundational. For CMMC Level 2 Advanced, organizations may be required to self-assess or have a third-party assessment depending on the type of information involved. This marks a notable shift in strategy towards a risk-based approach and an effort to not overburden the DIB unnecessarily. Under CMMC 2.0, Level 3 will be assessed by government officials.


What does this mean to DoD contractors?

For many contractors, this update will come as a relief. Maintaining compliance should be less costly and more easily managed. However, the fact remains that CMMC was developed due to weaknesses in our defense supply chain that must be addressed. I encourage you to leverage this opportunity to improve your cybersecurity policies and practices even now by performing a readiness assessment based on NIST 800-171.


What’s next?

CMMC 2.0 will be subject to rulemaking, including a 60-day public comment period. We will be following along and keep you up to date on the latest information.