Cybersecurity Maturity Model Certification (CMMC) is the DoD’s security model, laying out the department’s cybersecurity requirements. The program is aimed at improving security with certification requirements for external contracts. This program is critical for protection against cyber warfare, making it a significant component of national security. Specifically, it’s a critical measure to ensure the protection of unclassified information (CUI) as well as federal contract information (FCI).
CMMC 2.0 is the new version of the model—set to replace the current version of CMCC in the near future—and there are some changes to note. The overall goal of version 2.0 of the model is to make it more streamlined, add flexibility to the implementation, and make for more reliable assessments of security qualifications.
There are a few fairly significant changes that contractors will see as they transition from version 1.0 to 2.0. Of the changes, the two key elements to be aware of are the levels of the model and the inclusion of Plans of Action and Milestones (POAMs). The levels have changed quite a bit, while still maintaining the critical components at the core of CMMC 1.0’s level structure.
First, we’ll look at the levels of CMMC 1.0 to become familiar with the current system. Then we’ll discuss the new levels as laid out in CMMC 2.0 and how they compare to version 1.0. We’ll see that they are similar, but the new levels become more streamlined and they eliminate some of the ambiguities that exist in CMMC 1.0. In CMMC 2.0, the five-level structure has been condensed down to just three levels.
Levels: CMMC 1.0 vs CMMC 2.0
CMMC 1.0 had a total of five levels, from basic at level 1 to advanced at level 5. In this version of the model, levels two and four were transitional levels. You’ll also notice that version 1.0 has some additional practices and standards included in several levels that go beyond the scope of the NIST SP-800 and 48 CFR standards.
CMMC 1.0 levels:
Level 1: Focused on protection of FCI and the basics safeguarding requirements of 48 CFR 52.204-21.
Level 2: Acts as a transitional phase between level 1 and level 3. Includes only a subset of the security requirements as laid out in NIST SP 800- 171 plus some practices from other standards.
Level 3: Focused on the protection of CUI and includes all of the requirements of NIST SP 800-171 plus 20 other practices for threat mitigation. Level 3 was the minimum requirement for any contractor with a DFARS clause in the contract.
Level 4: Serves as a transitional stage between level 3 and level 5 and is centered around the protection of CUI from APTs. This level includes a subset of the security requirements from Draft NIST SP 800- 171B plus some other cybersecurity practices. Level 4 practices intend to improve detection and response against changing tactics from APTs.
Level 5: Fully focused on protecting CUI from APTs. Additional practices enhance the level of sophistication of cybersecurity processes.
One could question why CMMC would bother with the two transitional phases, as they could be considered “half-measures” toward full compliance with the next level. This adds a lot of ambiguity to what it truly means to be level 2 or level 4 “certified,” which leaves the whole system in question.
Well, CMMC 2.0 has done away with these extra intermediary levels and condensed the total number of levels down to just three well-defined standard measures.
The three levels of CMMC 2.0 are:
Foundational: Requirements are equivalent to CMMC 1.0 level 1.
Advanced: Requirements are equivalent to CMMC 1.0 level 3.
Expert: Requirements are equivalent to CMMC 1.0 level 5.
CMMC 2.0 eliminates maturity levels and eliminates all of the security practices that were unique to CMMC. Instead, Advanced (Level 2) practices are identical to NIST SP 800-171 and Expert (Level 3) practices will include a very specific subset of NIST SP 800-172.
This change to follow only NIST standards is highly beneficial as it relies on a set standard across the board, rather than having CMMC requirements that don’t necessarily conform to any other standard.
Plans of Action and Milestones (POAMs)
POAMs were not accepted in CMMC 1.0. The initial reasoning was that CMMC was meant to be 100% confirming and accepting POAMs was viewed as placing a disadvantage on those who spent a great deal of time and money to become secured. Certification is a long and challenging process that requires a steep financial investment, so letting some skirt those requirements was—and perhaps still is—viewed in a negative light by many.
In CMMC 2.0, POAMs will be accepted from contractors, but the finer details on these requirements are still a bit unclear. In essence, when CMMC starts accepting POAMs, contractors who don’t fully meet ever security requirement can submit a report detailing how they will meet the requirement in the future. This adds additional flexibility for contractors to prove CMMC compliance and adds assurance that they will become certified in the near future. In a nutshell, it shows that they can do the job and are taking the proper steps.
The arguments for both sides of the POAMs debate have merit. For those who have gone or are going through the full certification process, it may feel they are being shortchanged. However, security is the most important factor regardless of the circumstances. So, if good contractors can lend their expertise on projects thanks to a POAM, then this is a benefit in the long run. When it boils down to it, the department wants the most talented and qualified contractors to do the job.
Self-Assessments for Some in CMMC 2.0
Assessment costs for some are also reduced in the process, as all Foundational/Level 1 companies and some Advanced/Level 2 companies can demonstrate their compliance through self-assessment. The specifics of this self-assessment aren’t fully known yet, but it boils down to the types of CUI they hold. Essentially, the level of sensitivity in the data a contractor has access to will determine whether they can self-assess or will require a third-party assessment for certification.
Reducing the assessment costs helps to eliminate a potential barrier to entry for contractors, which allows the DoD to utilize the most qualified professionals. But again, it is only those companies that will require access to less sensitive CUI that can self-assess, so the assessment savings won’t necessarily be experienced by all DoD contractors.
When Will CMMC 2.0 Take Effect?
We are still not completely clear on when CMMC 2.0 will become the official standard. As with any lawmaking process, there are specific procedures and hurdles to clear before anything becomes law. Even when those hurdles are cleared we won’t necessarily know when we can expect the new standard to take place for some time.
After all, CMMC 1.0 is still new in its own right, with the interim rule published in September of 2020. The rule didn’t go into effect until November of 2020, and it established a five-year period of phase-in. While we can anticipate CMMC 2.0 rolling out sooner than 2025, the we are still well within that five-year phase-in period that was expected when CMMC 1.0 was made law.
So, why then are we even anticipating CMMC 2.0 so soon after the initial version? The internal review of CMMC’s implementation in March of 2021 turned up some positive and negative responses to the initial program. The assessment engaged cybersecurity professionals within DoD to determine how the program’s implementation could be enhanced. This feedback on the program indicated that some changes were in order, including the modification of the certification levels and a reconsideration on the acceptance—or non-acceptance—of POAMs.
This brought about the department’s CMMC 2.0 announcement in November of 2021, just a year after CMMC 1.0 went into effect. The timetable for full implementation is not yet explicitly defined but is not expected to roll out until the fall of 2023 at the earliest. This would mean an interim rule publication should be coming sometime around May 2023.
What to Do Until CMMC 2.0 is Released Into the Wild
We’re likely looking at more than a year until CMMC 2.0 becomes law. For now it’s good to get a jump on things by understanding what will be changing, but there is no need to take any immediate action. Nothing changes until CMMC 2.0 becomes law.
In the meantime, c1secure has built a framework that helps set you down a path to be ready for compliance. Our simple CMMC Maturity Scale Register will get you up and running with your self-assessments and prepare you for your C3PAO and for future C3PAO audits. Within the solution, the control objectives and citations have been grouped in accordance with the CMMC maturity levels (Level 1 – Level 5), enabling Federal contractors to measure their compliance against each of the CMMC maturity levels. For information on how to get started, contact [email protected].