CMMC 2.0 – What Changed & What Should Government Contractors Do Next?
November 12, 2021
On November 4, 2021, the DOD launched CMMC 2.0 which significantly streamlined requirements for the Defense Industrial Base (DIB) to meet required cybersecurity standards (DOD Press Release).
- Simplifies the CMMC standard and provides additional clarity on cybersecurity regulatory, policy and contracting requirements.
- Focuses the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs.
- Increases the DOD oversight of professional and ethical standards in the assessment ecosystem.
Image Source: OUSD A&S
So what has changed from CMMC 1.0 to CMMC 2.0?
• Assessment Requirements
• Implementation Approach
CMMC 2.0 continues to be a multi-tiered framework, but the number of levels has been reduced from 5 (in CMMC 1.0) to 3. Level 1 requirements stayed the same. The previous Maturity Levels 2 and 4 were eliminated. Maturity Level 3 and 5 were renamed and align closer to well-known NIST cybersecurity standards.
|CMMC v1.0||CMMC 2.0||Status|
|Level 1||Level 1 (Basic)||No change|
|Level 3||Level 2 (Advanced)||Revised to existing NIST 800-171 standard. Additional security practices and process maturity expectations in CMMC 1.0 ML3 have been eliminated.|
|Level 5||Level 3 (Expert)||Revised to a subset of NIST 800-172 Requirements.|
CMMC 2.0 all but eliminates third-party assessment requirements and implements tiered assessment requirements based on the sensitivity of the information shared with contractor companies.
• Self-Assessments: Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against specified cybersecurity standards. This assessment will also require an annual affirmation from a senior company official that the company is meeting requirements. Both self-assessments and affirmations will be registered in the Supplier Performance Risk System (SPRS).
• Third-Party Assessments: Contractors managing information critical to national security (a subset of Level 2) will be required to undergo third-party assessments every three years. These assessments will be performed by Third Party Assessment Organizations (C3PAO) and coordinated and planned between the contractor and the C3PAO.
• Government Assessments: The highest priority, most critical defense programs (Level 3) will require government-led assessments. Assessment requirements are under development.
The interim DFARS rule had established a five-year phase-in period, during which CMMC 1.0 requirements would be included in specific contracts. With CMMC 2.0, DOD intends to codify the framework through rulemaking before requiring all DOD contractors to adhere to the framework simultaneously. This process is expected to take 9 to 24 months.
In addition, required CMMC level for contractors and sub-contractors will be specified in future solicitations and Requests for Information (RFIs).
What is the impact of CMMC 2.0 changes on government contractors?
CMMC 2.0 significantly reduces assessment costs for all companies at Level 1 and a subset of companies at Level 2. While costs have reduced, the risk of noncompliance is still the same – loss of government contracts or worse, a False Claims Act penalty.
The updated framework also allows companies to receive contract awards with a Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements. POA&Ms must be addressed within a clearly defined timeline (anticipated < 180 days). The DOD will also require a minimum score requirement (baseline number of security practices) that must be achieved prior to contract award.
What should government contractors do next?
The goals of the revised CMMC 2.0 program remains the same:
- Instill a collaborative culture of cybersecurity and cyber resilience
- Ensure accountability for companies to implement cybersecurity standards
In addition, the DIB continues to be a target of increasingly frequent and complex cyberattacks by adversaries and non-state actors. Many DIB contractors are already subject to NIST 800-171 requirements that have been in effect since 2016. There is increased risk of financial penalty with the launch of the DOJ Civil Cyber-Fraud Initiative and related Cyber Incident Notification Act under development in Congress.
So, don’t delay cybersecurity activities. Start by addressing foundational cybersecurity best practices:
- Educate your users about cyber threats through security awareness training.
- Implement access controls to limit who accesses your information systems and what information they have access to.
- Implement multi-factor authentication tools to verify users.
- Update security protections, e.g., by patching systems in a timely manner and ensuring anti-virus and other security tools are up to date.
Got questions? Connect with an experienced Aprio Cybersecurity advisor today.
Schedule a Consultation