In November 2021, the Department of Defense(DoD) suspended CMMC 1.0 and implemented “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review.
Understanding CMMC 2.0
CMMC 2.0 simplifies the levels of assessment from 5 levels to 3 and naming those levels for further clarification. The DoD has decided that CMMC 2.0 consists of a total of three Levels:
- Level 1 Foundation
CMMC Level 1 Practice Areas and Controls - Level 2 Advanced tracks directly to
(NIST) Special Publication (SP) 800-171 - Level 3 tracks to a subset of requirements from
NIST SP 800-172
Main assessment changes
- Level 1 consists of self-assessments with an annual affirmation from a C-suite officer that the company meets the Level 1 requirements. Preparing for a CMMC Assessment. This means a reduction in the cost of becoming CMMC compliant, a wider selection of experts that can assist companies that only have to meet Level 1.
- Level 2 has a hybrid approach of controlled unclassified information (CUI) into two categories: prioritized and non-prioritized. Companies requiring access to prioritized CUI will be required to undergo a third-party assessment from a certified third-party assessing organization (C3PAO). Companies requiring access to non-prioritized CUI will make a similar affirmation that is required under Level 1 and be permitted to perform a self-assessment, like the existing NIST SP 800-171 self-assessment already required to be posted in the Supplier Performance Risk System.
- Level 3 requires triennial assessments which will be performed exclusively by Government officials, not C3PAOs.
Preparing for a CMMC Assessment with advisory services.
Plans of action and milestones (POAM) and waivers
With CMMC 2.0 the DoD allows companies a POAM to be awarded contracts, however, a certain baseline will need to be met. DoD has established a minimum score requirements and the highest weighted requirements cannot be on the POAM.
DoD will be able to approve waivers, but only when a waiver is necessary to accomplish mission-critical work. These waivers will be strictly time-limited and can only be approved by senior DoD personnel.
What is Project Spectrum?
The DoD has developed Project Spectrum to help DIB contractors assess their cyber readiness and begin adopting sound cybersecurity practices.
Need Expert Help?
As a CMMC RPO, MPG’s assessment and end-to-end cybersecurity delivery capabilities ensure CMMC customers receive thorough guidance available at any required CMMC level as well as offering strategic services to prepare an organization for CMMC success.
