What is CMMC 2.0 and, Why Is the Defense Department Changing Requirements?

cmmc 2.0 featured

The Cybersecurity Maturity Model Certification (CMMC) framework is a relatively new yet still partially implemented set of cybersecurity regulations targeting DoD agencies and contractors. The DoD specifically built the rules to address the IT infrastructure and security practices needed to handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). After a lengthy review, the DoD has, as of November 2021, released an updated version of CMMC, known colloquially as CMMC 2.0.

What is CMMC 2.0? We’ll cover some of the more significant changes here, what this means for DoD contractors, and how you can prepare for the change.

What is CMMC Certification?

While we have covered the basics of CMMC in other publications, it helps to have a guidepost for discussing the rather important changes coming with version 2.0. 

The Department of Defense created CMMC to help standardize a framework for securing FCI and CUI based on maturity and capabilities. CMMC draws from other security resources like NIST publications, ISO standards, and other federal standards to substantiate a model that contractors can adhere to. 

Some of the major features of CMMC include the following:

  • Maturity Levels: CMMC broke maturity into five levels based on an organization’s capabilities (documenting security, implementing optimizations, etc.) and implemented security measures drawn from the NIST 800-171 control catalog. Lower levels were associated with less mature infrastructure, and organizations needed a minimum of Maturity Level 3 to handle CUI. 
  • Certified Third-Party Assessment Organizations (C3PAO): As part of CMMC certification, an organization was required, no matter the level, to receive an audit and approval from a certified third-party assessor, known as a C3PAO. These C3PAOs were authorized through the CMMC Accreditation Body (CMMC-AB) to provide audits and higher levels of certification from an organization called for a C3PAO with equal or higher authorization. 
  • Immediate Compliance: As part of a C3PAO audit, your organization must meet all minimum requirements of the relevant security level. Following that, there was some anxiety around the role of Plans of Actions and Milestones (POA&M), a common document in many compliance frameworks that outlines how an organization will address gaps between existing infrastructure and compliance requirements. In some frameworks, a POA&M can help expedite authorization so long as the plan is executed. In CMMC, however, all measures must be implemented prior to certification.

What is CMMC 2.0?

cmmc 2.0

Released November 4, 2021, version 2 of CMMC changes several aspects of CMMC as it stood in version 1, reflecting nearly a year of feedback and response from defense agencies and their partner vendors.  

CMMC 2.0 changes some of the fundamental CMMC requirements listed above to streamline compliance and auditing better. As such, contractors and vendors will see the following changes become a reality over the next year or two:

  • Consolidation of Maturity Levels: CMMC 2.0 changes how the DoD will approach maturity and level ranking. Instead of five levels based on capacities and capabilities, CMMC will now use a three-level model:

    • Level 1 (Foundational): Includes 15 required security practices as drawn from NIST 800-171.
    • Level 2 (Advanced): Includes 110 security practices (aligned 100% with NIST 800-171).
    • Level 3 (Expert): Includes over 100 security practices (based on NIST SP 800-172 and special requirements dictated by agency needs).

This consolidation follows the language used in CMMC version 1. The original Level 2 certification was simply a stepping stone to Level 3 and Levels 4 and 5 were only differentiated by security implementation.

Organizations must meet Level 2 certification to handle CUI in this new framework.

  • Relaxing Requirements for Audits: In the original CMMC framework, any audits and certifications required C3PAO participation. In CMMC 2.0, this requirement has been loosened. Organizations seeking Level 1 certification can undergo annual self-assessment without the need of a C3PAO. Likewise, select Level 2 organizations can also opt for self-assessment (a determination made by the DoD representatives, not the organization undergoing audit). However, most organizations handling CUI at Level 2 will require triennial audits from a C3PAO. All Level 3 organizations will follow a triennial audit schedule with a C3PAO.
  • Inclusion of POA&Ms: To promote flexibility and scalability, CMMC 2.0 will allow some companies, under limited circumstances, to produce time-sensitive POA&M reports to achieve certification. 


When Will CMMC 2.0 Enter Defense Contracts?

Currently, the CMMC 2.0 documentation has just been released for review. At this juncture, the DoD intends to receive feedback and revision suggestions for these new standards. 

CMMC was already entering RFP requirements for some Defense agencies. However, the DoD is still working on the rule-making and language of version 2.0 before implementation. 

According to the Office of the Under Secretary of Defense (Acquisition and Sustainment) website, rule-making could take 9-24 months before CMMC 2.0 shows up in contract requirements. 


Prepare for CMMC or Other Government Compliance with Lazarus Alliance

Even when preparing for CMMC (version 1 or 2), you will want to plan for the best way to streamline your continuing compliance and security assessments (either self-directed or through a C3PAO). 

If you’re ready to centralize your security support with a company that knows security, compliance engineering and government requirements, then work with Lazarus Alliance. Our experts have decades of experience delivering security and compliance services to all our clients, reducing audit procedures from weeks or months to days. 


Getting Ready for CMMC 2.0?

Call Lazarus Alliance at 1-888-896-7580 or fill our this form. 

Lazarus Alliance