On December 26, 2023, the department of defense (DoD) announced the proposed rule for CMMC 2.0, which is open for comments until February 26, 2024.
If you’re an organization that works with the DoD, it’s time to start preparing for CMMC 2.0 compliance.
What is the difference between CMMC 1.0 and CMMC 2.0?
In 2020, the Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC), a cybersecurity framework with various tiers, drawing inspiration from established standards like NIST and DFARS.
Organizations partnering with the DoD must comply with CMMC. Additional stringent requirements exist for those handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
According to the DoD, FCI comprises information not intended for public release, provided by or generated for the government under a product or service development contract. It excludes government-provided information to the public and basic transactional details for payment processing.
CUI involves information created or possessed by the government or entities on its behalf, subject to safeguarding or dissemination controls mandated by laws, regulations, or government-wide policies.
When CMMC first launched, it featured five levels. However, in November 2021, the DoD released an updated version: CMMC 2.0. Two main motivations drove this update.
First, the defense community deemed the previous version complex and confusing. Second, under the 1.0 rules, the DoD lacked a means to verify contractor compliance. Instead, prospective contractors were required to self-attest to implementation.
How to comply with CMMC 2.0
CMMC 2.0 functions as a cybersecurity framework designed to verify that contractors have implemented security measures and are maintaining their security status throughout the contract lifespan.
CMMC 2.0 lays out compliance requirements across three levels. To become accredited and meet compliance, organizations must implement the security controls that respond to their CMMC level. These requirements are spread across 14 domains:
- CMMC Level 1 encompasses 15 requirements specified in Federal Acquisition Regulation (FAR) clause 52.204-21(b)(1). This level is expected to apply to contractors involved in storing, processing, or transmitting FCI.
- CMMC Level 2 involves 110 requirements sourced from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev. 2. It broadly applies to contractors engaged in storing, processing, or transmitting CUI.
- CMMC Level 3 includes 24 selected requirements from NIST SP 800-172, coupled with the full implementation of NIST SP 800-171. This level is tailored for a smaller subset of DoD contractors dealing with the storage, processing, or transmission of high-value CUI.
| Level | Information Type | Requirement | Assessment |
| Level 1 | Federal Contract Information (FCI) | 15 controls (aligned with FAR 52.204-12) | Annual Self-Assessment and affirmation (to be entered into SPRS) |
| Level 2 | Controlled Unclassified Information (CUI) | 110 controls outlined in NIST SP 800-171 Rev 2 (and currently required by DFARS 252.204-7012) | Triennial Self-Assessment and annual affirmation (to be entered into SPRS); closure of POA&Ms |
| Triennial Certification Assessment (by a C3PAO) and annual affirmation (to be entered into SPRS); closure of POA&Ms | |||
| Level 3 | CUI, plus risk of Advanced Persistent Threats (APT) | 110 controls outlined in NIST SP 800-171 Rev 2, plus 24 controls from NIST SP 800-172 | Triennial DoD-led Certification Assessment and annual affirmation (to be entered into SPRS); closure of POA&Ms |
Currently, the implementation date for CMMC 2.0 is unknown, but it is widely thought that the regulation will become effective in summer 2024. Instead of waiting until the last moment and risking non-compliance, organizations must develop their compliance plans now: identifying any security gaps, implementing new security measures like data loss prevention (DLP), and training employees before an audit.
