In early November, the DoD released an announcement for version 2 of the CMMC compliance standard. Developed with feedback from defense agencies and contractors, CMMC 2.0 seeks to streamline the compliance and cybersecurity process without sacrificing the effectiveness of the measures contained therein. While CMMC version 1 is still in play for most organizations in the DoD supply chain, version 2.0 will signal a change in requirements once those rules have been approved and implemented.
This article will briefly touch on some of the significant changes suggested as part of CMMC 2.0.
Understanding CMMC Version 1
Before we dive into the big changes under CMMC 2.0, we should cover CMMC very briefly. While we have written about this topic previously, for the sake of shared understanding, we will cover the basics of CMMC.
These basics include:
- Five Maturity Levels: Currently, CMMC is broken into 5 different levels of maturity. The lowest, Level 1, is required to handle Federal Contract Information (FCI) and Level 3 is the minimum level to handle Controlled Unclassified Information (CUI). Level 5, the highest point of CMMC compliance, expects organizations to meet advanced capabilities, a thorough and significant implementation of NIST SP 800-171 measures and deploy optimization and mitigation efforts targeting Advanced Persistent Threats (APTs).
- Practices and Processes: CMMC version 1.0 separated each maturity level into processes and practices. The former referred to the cyber hygiene of an organization, ranked from "Basic" (lowest) to "Advanced/Progressive" (highest). The latter spoke to an organization's ability to enact broader security-related processes such as documentation, risk management, and system optimization.
- Certified Third Party Assessment Organizations (C3PAOs): CMMC, much like some other frameworks, calls for unbiased audits conducted by third parties trained in CMMC certification. These organizations (C3PAOs) undergo extensive training from the CMMC Accreditation Board (CMMC-AB) and, in many cases, have undergone CMMC audits themselves. No contractor can achieve any level of certification without an audit conducted and approved by a C3PAO.
What's New in CMMC Version 2.0?
Based on the core requirements of CMMC 1.0, the DoD determined that they could streamline the model and subsequent compliance processes to save contractors time and money without sacrificing security.
To enact this approach, the governing bodies and decision-makers have delivered their overarching changes to the model, one that will start to make its way to contractors and agencies over the next year or two.
These changes include:
- Three Maturity Levels: Instead of five complete levels, CMMC 2.0 will only utilize three. In the original model, Level 2 was a middle-ground between Levels 1 and 3 without much direct use, and it has been split and absorbed into both levels. Similarly, Level 4 was seen to lack purpose between Levels 3 and 5, and as such much of it was split between those two levels.
Contractors handling FCI will be expected to meet Level 1 (Foundational) requirements, at minimum, and those handling CUI must meet Level 2 (Advanced) requirements. Level 3 (Expert) is a designation used for advanced security based on the needs of DoD agents.
- Unified Level Designations: Rather than having distinct categories of "practices" and "processes," CMMC version 2.0 uses a single "practice" category to measure compliance. Each Maturity Level includes a requirement for a certain number of practices drawn from NIST 800-171:
- Level 1: 17 Practices (identical to its CMMC 1.0 version),
- Level 2: 110 Practices
- Level 3: Above 110 Practices and determined by agency needs (precisely protections against APTs).
- Limited Self-Assessment: In CMMC version 1.0, C3PAO audits were mandatory. Under version 2.0, agencies pursuing Level 1 certification can perform annual self-assessments instead. Furthermore, Levels 2 and Three require triannual C3PAO assessments, but Level 2 includes an option, upon approval by the government, for annual self-assessment rather than third-party audits.
What's Happening with CMMC Version 1.0?
The short answer is that CMMC audits and maturity assessments are still in effect.
Currently, CMMC 2.0 rules are still in a "rule-making process" where feedback and revisions are underway. It is expected that it will be between 9 to 24 months before CMMC 2.0 goes into effect.
So, CMMC version 1.0 certifications are still required, valuable and a significant part of defense cybersecurity, particularly for organizations managing CUI for client agencies. As of this writing, there are roughly 400 companies that have scheduled audits with one of the five authorized C3PAOs. The process for certification under CMMC 1.0 is still valid. Consulting, audits, and assessments will still be honored by the CMMC-AB until a proper migration to CMMC 2.0 operations goes into effect.
Preparing For Your CMMC Audit?
Contact SecureStrux today to learn about our CMMC preparation and advisory services.