Three major changes announced for CMMC: fewer security tiers, new level definitions and requirements, and allowance for “Plan of Action & Milestone” reports. Learn more about the DoD’s major changes to the CMMC program.
Like everyone else in the world of federal compliance, we’ve been closely tracking the Cybersecurity Maturity Model Certification (CMMC) since the U.S. Department of Defense (DoD) shared its initial draft of the model in early 2020.
The controversial certification program has simultaneously been praised for its potential to raise cybersecurity standards for DoD contractors and criticized for the cost to comply, which is seen as a burden for many small businesses that are executing federal contracts.
On November 4, 2021, the DoD announced several updates and changes with the introduction of “CMMC 2.0,” which clarifies how CMMC will be implemented.
Pairing Down the Scope
The initial CMMC draft established five tiers of cybersecurity requirements for contractors. The tier with which a contractor needs to comply is based on the types of data they work with to execute federal contracts. With CMMC 2.0 there are now only three security tiers designed to simplify the program requirements:
- CMMC Levels 2 and 4 from the original framework are eliminated along with all maturity level processes
- Level 1 Foundational: Includes the same 17 controls outlined in the original CMMC framework, but now only requires an annual self-assessment and affirmation by company leadership.
- Level 2 Advanced: Has pared down the original 130 controls in the original CMMC Level 3 baseline to the 110 controls outlined in NIST 800-171. The DoD is working on a process that will identify “prioritized acquisitions” that must undergo an independent assessment against the new Level 2 Advance requirements on a triannual basis. All other Organizations will only be required to perform an annual self-assessment and company affirmation every year. Organizations that are not required to undergo an independent assessment by a C3PAO may still have one performed and we expect that to be valid the same as those identified as “prioritized acquisitions.”
- Level 3 Expert: This level will replace what was formally known as CMMC Level 5. Details of this level are still being defined. It is expected that this level will incorporate a subset of controls from NIST SP 800-172.
Removing Some Third-Party Assessment Requirements
Under the new model, Level 1 contractors will no longer be required to get a third-party certification. Instead, they will follow a self-assessment protocol which can significantly reduce the cost of compliance for many contractors. These self-assessments will require an annual affirmation by company leadership.
CMMC 2.0 Level 2 assessment requirements have also been updated allowing for self-assessments in some cases, in lieu of the required independent assessments. Under CMMC 2.0, third-party assessments will only be required for companies “supporting the highest priority programs.”
In order to ensure compliance and avoid any penalties, many of which are significant, it’s highly recommended you hire a third-party assessor to complete your CMMC certification. A third-party assessment will help to accelerate your revenue and market growth to differentiation your business by providing your customers with the assurance that you have the necessary controls in place.
Minimizing Barriers to Pass Assessment
The self-assessments are just one part of changes implemented to remove assessment barriers for contractors. Another key piece is the decision to allow “Plans of Action & Milestones” (POA&Ms) reports in certain cases. With these reports, contractors can pass an assessment even if they do not currently meet every security control required — provided their report properly outlines a plan of action, and deadlines, to meet those controls in the future. We expect the DoD to further refine the POA&M requirements for CMMC 2.0. Expect to see DoD requirements for findings to be resolved within 180 days and guidance on what may constitute a “showstopper” preventing a CMMC Certification.
Overall, the changes implemented significantly streamline the requirements to comply with CMMC and remove a lot of barriers to compliance for smaller contractors. At this time, it appears that CMMC pilots and contract requirements will be temporarily suspended until the DoD finalizes these CMMC 2.0 changes.
For contractors who are waiting in the wings, the wait continues. We continue to advise that companies prepare for CMMC by staying up to date with changes and announcements from the DoD, researching options for assessment partners (if a third-party assessment is still relevant to your company), and seeking compliance with the existing NIST 800-171 framework in order to give your company a leg up on eventual CMMC compliance.
Questions about CMMC? Contact an expert at A-LIGN