In the beginning of 2020, the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) program. This was an effort for the department to rethink its approach to cybersecurity. Since the Defense Industrial Base (DIB) is a common target of increasingly frequent and complex cyberattacks, the DoD designed this solution to protect American ingenuity and national security.
A lot has happened in the nearly two years since the debut of the CMMC. To keep up with rapidly evolving threats, the DoD recently released CMMC 2.0. What does this latest CMMC update mean for your business? In this blog, we’re going to discuss how different the CMMC’s latest version is from the original.
Before we get into CMMC 2.0, let’s first talk about the regulation itself and CMMC requirements. The CMMC program is a collection of cybersecurity standards, similar to the Defense Federal Acquisition Regulation Supplement (DFARS) 7012. This regulation governs how contractors working with the government handle controlled unclassified information (CUI). While contractors aren’t required to be certified yet, it’s expected to be a requirement by 2026.
The CMMC program has three key features:
- Tiered Maturity Model: The original program uses a five-tiered maturity model with progressively advanced cybersecurity requirements. Depending on the type of information and level of sensitivity, the higher the requirements are.
- Assessment Requirements: Assessments must be conducted by an accredited auditor. The assessments allow the DoD to verify that you’ve implemented the necessary cybersecurity measures.
- Implementation Through Contracts: Contractors are given contracts based on their CMMC level.
In November 2021, announced CMMC 2.0, an updated program to replace the original. The goal of the CMMC 2.0 framework is to create a simplified, more targeted approach to safeguarding sensitive data.
Understanding the different levels in the first CMMC program is going to be important later in this blog. Here’s what you need to know:
- Level 1: The first level focuses mainly on basic cyber hygiene. In level one, you are given access to federal contract information (FCI). Although FCI is not classified information, it’s still not meant to be seen by the general public. It’s expected that you properly safeguard this data following practices specified in 48 CFR 52.204-21.
- Level 2: This level requires an organization to establish and document practices and policies that help it implement CMMC standards.
- Level 3: To reach level three, a contractor must meet all of the requirements in NIST SP 800-171, as well as 20 additional practices.
- Level 4: A contractor that achieves level four CMMC has a substantial, proactive cybersecurity program. These contractors are expected to review and measure their practices to understand their effectiveness.
- Level 5: A level five contractor has been recognized as an organization with an advanced or progressive cybersecurity program. An organization at this level is expected to standardize and optimize process implementation across the organization.
The new CMMC 2.0 introduces several changes to the program that build on and refine what was already there. The most notable changes include:
- Fewer Tiers: CMMC 2.0 condenses the number of security tiers from five to three. Tiers two and four have been removed. Under the previous program one, three, and five were based on existing standards. Two and four were based on practices created from the program.
- Better Alignment: The new CMMC 2.0 is all aligned with NIST regulations.
- Reduced Assessment Costs: Any company that is level one, or previously level two, is now allowed to perform self-assessments for compliance. That means these businesses no longer have to pay for their assessments.
- More Accountability: There is now more oversight over the professional and ethical standards of the organizations that perform assessments.
- Flexibility: Some companies are allowed to make plans of action and milestones (POA&M) to achieve certification.
- Speed: Under certain circumstances, some companies are allowed to request waivers.
Need to meet the new CMMC 2.0 compliance standards? The team at BL King has you covered. Our consultants understand the ins and out of cybersecurity compliance and we can help you reach your goal.
Contact us today to learn more.