As we say goodbye to CMMC 1.0, we are now faced with making the move to CMMC 2.0. You might be asking, “What are the changes that we will see with CMMC 2.0?”. Here are some of the major changes that you should know about.
What are some of the major changes we will see with CMMC 2.0?
Elimination of Levels 2 and 4
Comparing CMMC 1.0 and CMMC 2.0, the new and improved CMMC only has three levels instead of five. The elimination of levels 2 and 4 in CMMC 2.0 allows for more flexible and efficient implementation. The new program allows for Level 2 to be met more easily for contractors who work with classified uncontrolled information (CUI).
CMMC 2.0 has these 3 levels:
Level 1 (Foundational)
- Model: 17 practices
- Assessment: Annual self-assessment
Level 2 (Advanced)
- Model: 110 practices aligned with NIST SP 800-171
- Assessment: Tri-annual third-party assessments for critical national security information. Annual self-assessments for select programs
Level 3 (Expert)
- Model: 110+ practices based on NIST SP 800-172
- Assessment: Triannual government-led assessments
Allowing Annual Self Assessments
The allowance of self-assessments following CMMC 2.0 guidelines has reduced assessment costs and better flexibility for contractors. CMMC 1.0 required all Department of Defense contractors to undergo third-party assessments for CMMC certification. The requirements of your CMMC certification depend on the type of sensitive information your organization is working with. Some things to note:
- Organizations pursuing CMMC level 1 will benefit the most from the change since they will not require a third party for CMMC approval.
- Level 1 companies will save time and money under CMMC 2.0 procedures.
- There is risk to implementing self-assessments, like human error. Level 1 companies should be aware of the risk of human error and ensure their self-assessment reports are accurate.
Development of a Time-Bound and Enforceable Plan of Action and Milestone Process
CMMC 2.0 offers contractors a time-bound Plan of Action and Milestone (POA&M). Developing a time-bound Plan of Action will allow your company to not have to be perfect to pass your assessment. It gives you more flexibility to fix any issues within your current situation that would prevent you from passing. A Plan of Action and Milestone establishes steps and dates for resolution. You will require a re-assessment to complete your resolution. As long as you do your best to meet requirements in your assessment, you can work towards developing areas that need attention with a Plan of Action.
Development of a Selective, Time-Bound Waiver Process (if needed and approved)
In situations where a contractor has a system that is needed to perform a contract but cannot be secured, a time-bound waiver will be issued. A mission critical contract would get a waiver if its security measures are not adequate in time for the contract’s execution. These waivers are time limited and can only be approved by Department of Defense personnel. With CMMC 1.0, waivers were non-existent and security measures were either a pass or fail. CMMC 2.0 gives contractors more flexibility with its option for time-bound waivers
Stay Secure with Kyber Security
As the cyber threat landscape constantly evolves, your security measures should be one step ahead. Kyber Security has dedicated professionals experienced in protecting your organization from ever increasing cyber threats. We will work tirelessly to keep your company protected from cyber-attacks.
Ready to put security first? Sign up to get started.