The Department of Defense (DoD) has released a new version of Cybersecurity Maturity Model Certification (CMMC) requirements for their supply chain. The new CMMC version (referred to as CMMC 2.0) has been drafted in response to more than 850 responses that the DoD received during the public comment period following the release of the initial 1.0 version.
The updated CMMC 2.0 is designed to simplify the certification process, reduce assessment costs, and give suppliers a more flexible path to attain certification.
Here’s a high-level look at what’s changed with CMMC:
CMMC Levels Trimmed Down From 5 to 3
Taking the five CMMC levels down to three and eliminating the CMMC-unique practices is intended to reduce the complexity of compliance dramatically.
Level 1 is unchanged from the original CMMC requirements.
Level 3 has become Level 2, which is considered “Advanced” and is now based solely on NIST 800-171. Within Level 2, there will be two subsets of suppliers – those that need to have a third-party audit and those that can self-assess.
Most companies that are required to comply with CMMC will need to meet Level 2 requirements.
The previous Level 5 is now Level 3. This level is the “Expert” stage for suppliers and will not apply to most companies. This is because Level 3 requirements do not necessarily flow all the way down through a prime contractor’s chain of vendors. It all depends on the information that the vendor is handling.
CMMC Audit Requirements Reduced
Reduced third-party audit requirements dramatically decrease the costs for CMMC compliance for many companies. Level 1 and a portion of Level 2 suppliers need only to complete self-assessments.
For the Level 2 companies that do need to have an audit conducted, they only need to do it every third year. Part of the third-party audit will include demonstrating proof of successful self-assessment for the other two years.
There is also greater flexibility within CMMC 2.0 to allow for waivers in certain circumstances and in others to accept a Plan of Action and Milestones (POAM) towards full compliance, as opposed to proof of full compliance in order to attain certification.
CMMC Compliance Timeline
The Final Rule was published on October 15, 2024 and took effect on December 16, 2024. However, four phases allow Defense Industrial Base (DIB) suppliers to ramp up over three years.
Phase 1 (started December 16, 2024)
- Level 1 or 2 self-assessment for some suppliers.
- Level 2 third-party assessment for other suppliers.
Phase 2 (starting December 16, 2025)
- Level 1 or 2 self-assessment for some suppliers.
- Phasing out of Level 2 self-assessment for some suppliers, replaced with Level 2 third-party assessment.
- Some suppliers with sensitive data will require a Level 3 third-party assessment.
Phase 3 (starting December 16, 2026)
- At a minimum, all suppliers must have a Level 1 self-assessment or Level 2 third-party assessment.
- Some suppliers with sensitive data must have a Level 3 third-party assessment, although a prime contractor may waive this requirement.
Phase 4 (starting December 16, 2027)
- CMMC fully implemented across all suppliers with DoD contracts.
- Depending on the contract type, organizations must have a Level 1 self-assessment, Level 2 third party assessment, or Level 3 third-party assessment.
Working Towards Security Maturity for a Competitive Advantage
Registered Practitioners remain the go-to resource for companies that want to ensure they’re going in the right direction with CMMC and their POAM items. Many executives see working with a Registered Practitioner as a way to mitigate risk, and it gives them the confidence that they’re not going to be unable to do business in the DoD supply chain because of security gaps.