Cybersecurity Maturity Model Certification (CMMC)
CMMC 2.0 – What’s New?
On November 9th, Department of Defense representatives spoke during the CMMC Town Hall Meeting to share updates with the community at large regarding several major modifications that have come to CMMC. The strategy for the changes to be made was based around five key areas of concern:
- The cost burden on small businesses.
- Companies not in control of CUI.
- Companies with control of CUI, but not deemed critical to national security.
- Companies with CUI control that manage information critical to national security.
- Companies supporting most sensitive defense programs.
The changes that were agreed upon came largely from feedback that the original CMMC model was overly demanding and unnecessary – particularly in tasking most of the DIB with CUI to be assessed at level three certification. Based upon risk, suppliers to the DoD with CUI that may present a threat to national security will now be considered the new level two CMMC certification.
The most notable alteration to CMMC 1.0 is a significant streamlining of the certification model. The levels formerly known as two and four have been eliminated, as they were never intended to be assessed individually. Following the elimination of these two levels, there are now three levels to CMMC:
- Level 1: Foundational – Companies with FCI only, requires protection but not critical to national security. Will require self-assessments to NIST 800-171.
- Level 2: Advanced – Companies with CUI, which may require third-party or self-assessment based upon the type of information in question.
- Level 3: Expert – The highest priority companies with CUI that must be assessed by the government.
Alongside the streamlining of the CMMC structure, POA&Ms and waivers will be allowed on a limited basis when accompanied by strategies to mitigate CUI risk. Contracting officers may use normal remedies to address a contractor’s failure to meet cybersecurity requirements by a predetermined deadline.
The DoD has suspended the piloting program in the interim, though it should resume within approximately 9-24 months. C3PAO can conduct voluntary assessments in the meantime, and training that has already taken place prior to the revisions can be updated at no additional cost.
To learn more about CMMC or how PJR may help you, contact us at (248) 358-3388.