With the release of CMMC 2.0 on Nov 4, 2021, several Defense Industrial Base (DIB) firms are questioning if CMMC still extends to their prospective government agreements.
What’s New in CMMC 3 Levels? Instead of five levels, CMMC 1.0 initially offered five, with Levels 2 and 4 supposed to be intermediate steps.
CMMC 2.0 only has three levels:
- Level 1 – Fundamentals
- Level 2- Advanced
- Level 3- Expert
CMMC initially did not permit self-certification at any level. This has been altered in CMMC 2.0.
In CMMC 2.0, certification is intended to function as follows for each level:
Level 1: All Level 1 businesses may self-certify.
Level 2: Some Level 2 businesses will be able to self-certify, while others will need to employ an independent assessor (C3PAO) to undertake an assessment.
Level 3: The administration will require examining all Level 3 businesses.
Contractors who just need to fulfill CMMC Level 1 must secureFCI, not CUI.
FCI is data not meant for public release and is supplied by the US government as part of a contract to produce or provide a service or product to the agency but is not public information, such as data on websites.
CUI is information created or possessed by the United States government that a law, rule, or government policy mandates or allows an agency to manage using safeguarding or distribution restrictions.
Fewer C3PAO Assessments Certified Third-Party Assessment Firms (C3PAO) will remain a component of the CMMC environment and will remain to deliver assessments to select organizations pursuing Level 2 compliance.
Because all Level 1 and some Level 2 organizations can self-certify, there will be fewer examinations needing a C3PAO.
POA&Ms Can Be Used for Compliance POA&Ms are written plans that outline how a company will satisfy compliance in the future. Companies employed POA&Ms to demonstrate compliance with NIST SP 800-171. However, they were not initially adequate to demonstrate compliance with CMMC.
POA&Ms are considered an appropriate remediation method for some CMMC practices in CMMC 2.0.
Even if you don’t know if you’ll be able to utilize a POA&M to demonstrate CMMC compliance, POA&Ms, like System Security Plans, is helpful to all businesses in enhancing their security posture (SSP).
What is the same in CMMC 2.0?
The Department of Defense is still going forward with CMMC.
The CMMC Accreditation Body (CMMC-AB) retains its unique agreement with the DoD, allowing it to carry out CMMC examinations and training.
Contractors that do not handle CUI (Level 1 and some Level 2) will remain to use the SPRS to record self-assessments and assurances.
Why Did CMMC Change?
• Fears that many small enterprises (with limited resources) may unlikely conform with CMMC as intended.
• Contractors were perplexed by the numerous cybersecurity standards and restrictions.
• There are a limited number of third-party auditors, or C3PAOs, who are eligible to conduct assessments.
The Effect of CMMC 2.0 on Contractors
The new CMMC still adheres to the original purpose of safeguarding information in national distribution networks, but it also:
- Simplifies and clarifies the criteria.
- Outside third-party reviews are restricted to subcontractors backing the highest priority initiatives.