Was version 2.0 simply an update to the previous model of Cybersecurity Maturity Model Certification?
The simple and resounding answer is NO! This update from the DoD for 2.0 was more like a hatchet than a scalpel for an emergency field surgery.
CMMC 2.0 Enhancement
In an update as of Nov 4th, 2021, , the DoD clarified that it is no longer intending to approve the inclusion of a CMMC requirement in any near-term contract, prior to completion of the CMMC 2.0 rulemaking process and will suspend all current trailing phases.
Once CMMC 2.0 is fully authorized through the rulemaking process, the DoD will require a certain set of companies, based on contract assignments to adhere to the revised CMMC framework, as well as according to requirements set forth in regulation and that rulemaking process. The timeline of which could take between 9-24 months.
Additional highlights from the 2.0 announcement:
- The DoD has reduced the levels for the model down from (5) to (3) and provided clarity to their alignment:
- Advanced Level (formerly level 3 - Good) will be the equivalent to NIST SP 800-171 ‘Protecting CUI’.
- Similarly, the Expert level (formerly level 5 – Advanced) will be based on a subset of NIST SP 800-172 (Enhanced Security Requirements for Protecting CUI: Supplement to 800-171) but is still under development.
- Finally, the Functional level (formerly level 1 – Basic) would be based on the contractor ‘annual self-audit’ for the 17 practices.
- If implemented, these proposed changes would align with many industries’ recommendation to leverage existing standards rather than introduce new ones.
- Levels 2 & 4 will be removed from the 2.0 version and no longer be a consideration or tracked (see below):
Further changes included within CMMC 2.0:
- Removing CMMC-unique practices and all maturity processes from the CMMC Model.
- Allowing annual self-assessments with an annual affirmation by DIB company leadership for CMMC Level 1 “Basic”.
- Bifurcating CMMC Level 3 requirements into either identified/prioritized acquisitions that handle CUI would require independent assessment <and> non-prioritized acquisitions, requiring annual self-assessment and company affirmation that follow current DoD acquisition protocols.
- Development of a time-bound and enforceable Plan of Action and Milestone (POA&M) process, as well as a time-bound waiver process, if needed/approved, allowing contractors that do not meet every security control the time necessary to prove that they will in the future.
- This important feature to allow for POA&M’s has been a challenging point for many in the DIB, as failure to meet a control in an inspection would have meant a contractor could not have worked or successfully been on a contract; along with the waiver process, the DoD has provided several means to still make contracts accessible to not only larger enterprises but also SMB while reducing potential strain on the assessors.
- POA&Ms will be allowed for 180 days under CMMC 2.0
- CMMC 2.0 will not allow POA&Ms for the highest-weighted requirement.
- DoD will establish a “minimum score” to support certification with POA&Ms.
These updates will be continually followed and highlighted here on Tech Zone, but ultimately these enhancements, once invoked timeline-wise by the DoD, should help the industry streamline control mapping as well as, leverage previous framework and security measures that have already been taken by agencies from organizations, such as NIST / FedRAMP without re-inventing another wheel.
For further Zero Trust and Cybersecurity assets on Tech Zone, see: