CMMC 2.0 Cybersecurity Framework: What to Expect

What’s New in CMMC | Column 1

“What’s New in CMMC” is a regular column from MxD explaining aspects of the just-launched CMMC 2.0 framework.

CMMC 2.0, the Defense Department’s simplified and streamlined Cybersecurity Maturity Model Certification framework, has set the Defense Industrial Base (DIB) supply chain abuzz, with contractors and their suppliers asking: What’s new? What’s next? And how much? 

Launched in early November, just weeks before its predecessor was to go into effect on some contracts, CMMC 2.0 is still a work in progress. Rule-making for this DoD initiative to improve and standardize DIB cybersecurity is expected to take from nine to 24 months. Compliance won’t be required until those rules are set.

But there is early clarity on some of the updates included in CMMC 2.0, which is  designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that the DoD shares with contractors and subcontractors through acquisition programs. The tiered system from CMMC 1.0 carries over to CMMC 2.0  but goes from five levels to three that align with National Institute of Standards and Technology (NIST) cybersecurity standards. The level that will be needed for each DoD contract is to be determined once CMMC 2.0 begins. 

Under CMMC 2.0:

  • Level 1, or the Foundational Level, would require implementation of 17 basic practices and annual self-assessment. Companies would report self-assessment results to the DoD through its Supplier Performance Risk System (SPRS). This does away with the CMMC 1.0 demand for third-party assessment for this level, which was seen as a particularly costly and burdensome hurdle for small and medium-sized businesses.
  • Level 2, or the Advanced Level, is similar to Level 3 in CMMC 1.0. It covers 110 practices aligned with NIST SP 800-171. This level would have  an annual self-assessment requirement for certain programs and an every-three-years  third-party assessment when critical national security information is involved. 
  • Level 3, the Expert Level, is still being developed but is expected to include implementation of 130 practices and a government-led assessment every three years. The Expert Level, the DoD says, is to be based on a subset of NIST SP 800-172 requirements and this level mirrors Level 5 in CMMC 1.0.

Also new in CMMC 2.0 is a Plan of Action and Milestones (POA&M) allowance, which in limited cases would let contractors that do not meet every requirement in one of the levels show they are working on compliance, likely permitting them to continue DoD work. 

DoD says it will publish a comprehensive cost analysis for each CMMC 2.0 level as part of its rule-making process. But, it noted, “costs are projected to be significantly lower relative to CMMC 1.0 because the Department intends to streamline requirements at all levels.”

One thing to note is that though CMMC 1.0 has been suspended, most DoD suppliers still currently must meet DFARS 7020 clause requirements, and that includes a self-assessment per the NIST SP 800-171 standard. Also, with cyberattacks targeting the DIB supply chain on the rise, companies are being urged to up their mitigation efforts and do the work needed to prepare for CMMC 2.0’s arrival.

As this process rolls out, watch for continued CMMC 2.0 updates and tools, including webinars, from MxD.


Register your interest in a free assessment for Cybersecurity Maturity Model Certification (CMMC) and other cybersecurity protocols by filling out this form.