What are the changes with CMMC 2.0 and how will they affect you? 

by | Feb 7, 2022 | CMMC, Security

In early November, the Department of Defense announced that there would already be changes to the relatively new CMMC security framework.  The primary goal of the updated CMMC version is to make certification more simplified and obtainable for the supply chain. 

So, what exactly will change?  First off, there will only be 3 maturity levels, as opposed to the 5 that currently exist today.  The DoD realized that it didn’t make a lot of sense to have Levels 2 and 4 in the mix, since no contracts would require them.  DoD contracts that now require a CMMC certification will either require a Level 1, Level 3, or a Level 5 certification.  For CMMC 2.0, what is currently being called Level 3 will soon be called Level 2.  And what is currently called Level 5 will soon be called Level 3. 

The current CMMC Level 3 requirements include all of the NIST 800-171 controls (which total 110 requirements), plus an additional 20 requirements that the CMMC accreditation board thought were important.  However, once CMMC 2.0 takes effect, Level 3 will be called Level 2, and its requirements will mirror exactly the same requirements of NIST 800-171.  CMMC 2.0 Level 2 will not include those 20 additional requirements, making it easier for organizations to become certified at that level. 

In addition to maturity level changes, there are also changes in the certification roadmap.  With the current CMMC 1.0 framework, those seeking a Level 1 certification need to implement all 17 controls and pass every requirement.  Organizations seeking certification at any maturity level were required to hire a C3PAO to undergo an audit. 

With CMMC 2.0, organizations seeking a Level 1 certification do not need to hire a C3PAO.  They can self-assess and submit a self-attestation.  The Level 1 requirements will no longer be pass/fail.  Organizations will score themselves, just like those who are subject to the DFARS Interim Rule.  And whatever score they get will need to be submitted to the Navy’s site called the SPRS, or Supplier Performance Risk System. 

Once the scoring is finished, those organizations seeking a Level 1 certification will need to do something else they previously didn’t need to: they will need to complete POA&Ms with firm deadlines.  POA&M stands for Plan of Action & Milestones.  The document details how the organization plans to remediate the requirements that failed to score in the self-assessment.  Those POA&Ms will be due 6 months from the date when the self-assessment is complete. 

When receiving a CMMC 2.0 Level 1 certification, it will be good for 3 years.  However, it will remain a requirement to self-assess and submit your score every single year and be subject to an audit and the false claims act at any time.  If companies seeking a Level 1 decide to hire a C3PAO auditor, those companies will not need to conduct the annual self-attestation process, which includes management signing a legal attestation document, and keeping it on record. 

This new CMMC 2.0 plan was designed to help organizations seeking a Level 1 certification to save on auditing costs.  Additionally, for organizations seeking a Level 2 certification (which is what was called Level 3), some of those organizations will be allowed to self-assess as well! 

For the CMMC 2.0 Level 3 certification (the highest level), the requirements will include all the ones from NIST 800-171 plus an additional subset of NIST 800-172 requirements. 

After the CMMC 2.0 framework was announced, the glaring question became, “How long until CMMC 2.0 takes effect?!”  There is no date yet for that – however, the industry’s best guess as to when the 2.0 framework will take effect is another 8 to 24 months after the new framework details are finalized. 

It’s also estimated that the Department of Defense is pushing back the dates on when they’ll have more contracts requiring CMMC certification.  However, since the implementation of the maturity level controls takes companies such a significant amount of time, organizations are not waiting to begin their preparations. 

Peters & Associates is already helping companies prepare for their CMMC assessments, and we’d be happy to speak to you about how we can assist you with your own certification readiness. Contact us at info@peters.com.