A PDF of the announcement from the DoD can be viewed here and should be available at https://federalregister.gov/d/2021-24160 after it is officially released.
The DoD’s CMMC website has been updated to reflect the new CMMC 2.0 model.
The DoD has also posted a press release.
What is changing?
The focus of the announcement comes down to the following bullet points.
· Eliminating levels 2 and 4 and removing CMMC-unique practices and all maturity processes from the CMMC Model;
· Allowing annual self-assessments with an annual affirmation by DIB company leadership for CMMC Level 1;
· Bifurcating CMMC Level 3 requirements to identify prioritized acquisitions that would require independent assessment, and non-prioritized acquisitions that would require annual self-assessment and annual company affirmation;
· CMMC Level 5 requirements are still under development;
· Development of a time-bound and enforceable Plan of Action and Milestone process; and,
· Development of a selective, time-bound waiver process, if needed and approved.
These changes must still go through public comment periods before changes to CMMC are made official, but it has the potential to make CMMC look a lot more like NIST 800-171 for the majority of contractors.
While CMMC 2.0 uses the terms “level 1, level 2, and level 3”, levels 2 and 3 mean something very different than previously in CMMC 1.0. Previously, many companies were aiming for CMMC 1.0 Level 3. That now maps to CMMC 2.0 Level 2.
Figure 1: OUSD A&S – Cybersecurity Maturity Model Certification (CMMC) (osd.mil)
Did I waste money pursuing CMMC requirements?
Not at all – you likely have made a lot of progress toward meeting the NIST 800-171 requirements that you should have been meeting this entire time. CMMC will still have the teeth to require an independent assessment at CMMC Maturity Level 3 (Now CMMC 2.0 Level 2).
If the maturity processes are removed, do I still need documentation?
Yes. Policies and procedures have always been a requirement of NIST 800-171A and will continue to be required in CMMC 2.0. Any time an assessment objective uses the word “define”, that is a requirement that a policy or procedure exists on paper.
What should I do now?
DFARS 252.204-7012 is still the law. NIST 800-171 has been the requirement and continues to be required for contractors holding CUI. Contractors handling CUI may still require being assessed by independent assessors or DIBCAC.
Sentar Inc. has skilled experts able to help you achieve compliance and improve your security in an ever changing environment filled with persistent threats.
Other resources
CMMC Accreditation Body Endorses Pentagon’s Proposed Implementation Changes in CMMC 2.0