During the last couple of years, one of the biggest waves occurring in the world of Cybersecurity was that of the CMMC. Essentially, this is a mandate set down by the Department of Defense (DoD) that all contractors and sub-contractors that exist in the Defense Industrial Base (DIB) must achieve some sort of certification level in the CMMC.
This is needed because of the sensitivity and confidentiality of the FCI and CUI data sets that are entrusted to them. Unless certification is achieved, no entity will be able to bid on future contracts and/or all current work must cease immediately.
But the entire process has been confusing needless to say, and so it was just recently announced that a streamed-down version of it will be released, which is known as the CMMC 2.0.
What Are the Differences In CMMC 2.0?
There are some key differences, and they are as follows:
- There are fewer levels of Maturity Levels: Instead of the usual five, there are now three of them, which include the following:
- The CMMC Level 1 Foundation: This requires that 17 of the control requirements must be put into place. There is no third-party affirmation that is required, and the assessments can be conducted internally in the organization.
- The CMMC Level 2 Advanced: All of the 110 control requirements must be put into place. Further, assessments must be conducted at least three times a year, and must be conducted by a third-party assessor. However, under certain circumstances, this can be waived, and self-assessments can be done instead.
- The CMMC Level 3 Expert: Once again, all 110 control requirements have to be put into place, and assessments have to conducted three times a year by a third-party assessor. There is no allowance for self-assessments to take place.
It is interesting to note that before the CMMC was implemented, all defense contractors and their subcontractors could conduct self-assessments as governed by the NIST SP 800-172. Then this was no longer an option, but has come back again with the CMMC 2.0.
- Changes in third party certification: If the contractor/subcontractor is not handling any sort of CUI datasets, then third party certification is no longer needed. However, it is required if they are seeking to store, process, and transmit any type of FCI datasets.
- All of the requirements to not have to be met: With the current version of the CMMC, all contractors/subcontractors have to meet each and every requirement before any bidding on new projects can take place. But with the CMMC 2.0, these are more relaxed. For example, depending upon the size and scope of the contract, just the baseline requirements have to be met, and the others can satisfied at a subsequent point in time. This flexibility will thus allow bidding to happen and earlier, removing any obstacles.
- Waiving of the POA&M: This is an acronym that stands for “Plan of Action and Milestones”. Essentially, once a contractor/subcontractor has completed the initial assessment of the state of their controls under the current CMMC, it must submit to the DoD this plan as to how any deficiencies will be rectified. At the present time, this has been required of every entity, and all gaps and remediations had to remediated before the certification process could continue. Many entities complained that this was a time consuming and costly process, given that they had to hire a third-party assessor. But with the CMMC 2.0, the process of going through the POA&M could be entirely waived, under certain circumstances.
- Increased oversight: Coming out with a more streamlined version of the CMMC has also ignited fears that oversight could also be lax, especially the third-party assessors. To address this concern, the DoD has also announced that it will quickly step up the oversight of these entities, in order to make sure that the intended robustness of the CMMC remains intact.
- Other FAQs:
- Will the current version of the CMMC be enforced? The short answer from the DoD is it will not be, until the CMMC 2.0 is fully approved. However, this does not mean that the contractors/subcontractors should suspend any on going efforts to get certified. In fact, the DoD also announced that it is exploring various incentive packages for those that continue on the track that they have embarked upon.
- How much will the CMMC 2.0 actually cost? At the present time, the DoD is doing a cost analysis breakdown. But since there are fewer Maturity Levels to be certified at, and self-assessments, it is expected at the outset that the costs will be significantly lower than the current CMMC.
- Why has the CMMC 2.0 evolved in the first place? Although there many other reasons, the two prime catalysts that have been cited for this new evolution are:
- The complaints of how long and especially how expensive the current CMMC process is;
- Rather than implementing a form of the Zero Trust Framework with the current CMMC, the thinking now is that a certain level of goodwill and trust can be fostered with the CMMC 2.0, thus making cooperation and agreement a much easier process for all of the parties that are involved.
It has been estimated that it take anywhere from 9 – 24 months for the CMMC 2.0 to be fully approved. During this time frame, it is anticipated that other changes could occur, adding even more to the confusion. But remember, you are not alone in this process. Many organizations are looking at meeting NIST-800-171 requirements at a minimum as this is currently a contracting requirement.
Looking for more CMMC information? Talk with one of our CMMC RPO’s today to figure out how to best prep for the upcoming changes.