Blog

CMMC 2.0 Update

By: Dave Newman
CMMC, Continuous Compliance
Abacode-Blog-CMMC-2.0-Introduction

The CMMC Accreditation Body (CMMC-AB) hosted a CMMC 2.0 Townhall webinar to review the new requirements in version 2.0 of the Cybersecurity Maturity Model Certification (CMMC) standard.  The CMMC-AB had already confirmed their support of the changes to the CMMC compliance initiative proposed by the Department of Defense (DoD) as the result of a six-month internal program review.

The following distinguished members of the DoD and CMMC community presented during this townhall:

  • Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy
  • Matt Travis, Chief Operating Officer, CMMC-AB
  • David McKeown, Deputy Chief Information Officer (Cybersecurity), DoD
  • Buddy Dees, Director CMMC Program Management Office, DoD
  • Kyle Gingrish, Vice President for Training, CMMC-AB

Over 2,000 participants joined this townhall webinar via Zoom.

PRIMARY REASONS FOR CMMC 2.0 COMPLIANCE

CMMC-AB’s CEO, Matt Travis, stated in this webinar that there are four major reasons for the adoption of CMMC 2.0 by the CMMC-AB:

  • The DoD applied a risk management approach to digital risk in defining CMMC 2.0 requirements
  • Streamlining of the CMMC compliance standard to make it more accessible to small businesses
  • Improving the scalability of the CMMC standard
  • Reaffirming the role of the CMMC-AB as the exclusive DoD partner for CMMC matters

Some of the feedback that both the DoD and the CMMC-AB received from DoD contracting firms, particularly those that fall in the small business category, was that meeting the compliance requirements in CMMC 1.0 was hard.  CMMC 2.0 intends to address those concerns by developing a roadmap for small businesses to start managing their cyber risk within the requirements in the CMMC 2.0 new levels.  As stated by Deputy Assistant Secretary of Defense for Industrial Policy, Jesse Salazar, “CMMC 2.0 reinforces the Department’s unwavering commitment to bolster the cybersecurity of the Defense Industrial Base (DIB)”.

WHAT CHANGED IN CMMC 2.0

There are three primary changes in CMMC 2.0 from its predecessor CMMC 1.0 version:

  • CMMC 2.0 now has three (3) levels, down from five (5) in CMMC 1.0. CMMC 1.0 Levels 2 and 4 were eliminated, with Level 1 remaining as is, Level 3 becoming Level 2, and Level 5 becoming Level 3.
  • Practices are aligned with NIST 800-171 / 800-172, removing the additional 20 DoD controls added on top of NIST 800-171 for CMMC 1.0 Level 3.
  • CMMC 2.0 expands self-assessments to Level 2 (formerly known as Level 3 in CMMC 1.0) for select programs, in addition to third-party assessments, and requires government-led assessments for the new Level 3 Expert tier.

The following diagram shows the progression from CMMC 1.0 to 2.0 and highlights some of the most fundamental changes:

The following diagram shows the Assessment requirements for the new CMMC 2.0 levels:

David McKeown, Deputy Chief Information Officer (Cybersecurity) DoD, highlighted that CMMC is part of a four-prone DIB cybersecurity approach taken by the Department:

  • Cyber threat intelligence sharing with the DIB through the Defense Cyber Crime Center (DC3) and NSA
  • Mandatory incident reporting for when companies are compromised
  • Cybersecurity technical assistance and collaboration, including involvement from DC3 and NSA
  • Cybersecurity requirements and assessment mechanisms based on NIST 800-171 including self-assessments, third-party assessments, and government-led assessments

Mr. McKeown did mention that CMMC 2.0’s strict alignment with NIST 800-171 would enable the Department to partner with federal government agencies in the future, which is an indication that CMMC might eventually be required for the rest of the federal government supply chain.

ABOUT PO&AMs and WAIVERS

According to Buddy Dees, Director of CMMC Program Management Office, CMMC 2.0 will allow companies that are not 100% in compliance with their CMMC level to bid for new contracts, in some cases, leveraging additional flexibility in the use of Plans of Actions & Milestones (PO&AMs).  However, PO&AMs will be required to be strictly time-bound (potentially 180 days) and of course, will not be allowed for the highest-weighted or most critical requirements. Additionally, there will be a minimum DoD scoring threshold that will limit how many requirements could be documented in PO&AMs.

Waivers will be allowed on a very limited basis for missing critical scenarios and will require to be submitted along with the strategies to mitigate the CUI risk.  Additionally, senior DoD approval would be required for any waivers.

As stated by Deputy Assistant Secretary of Defense for Industrial Policy, Jesse Salazar, “CMMC 2.0 reinforces the Department’s unwavering commitment to bolster the cybersecurity of the Defense Industrial Base (DIB)”.  In taking a cyber risk approach to cybersecurity readiness in CMMC 2.0, the Department and the CMMC-AB are making it easier for small businesses to implement the CMMC requirements.  In doing so, they are hoping to promote true CMMC adoption across the board.  At the end of the day, CMMC is all about promoting cybersecurity readiness, mitigating cyber risk, and preventing adversarial activity that could put national security at risk.

For companies that handle CUI and that need to comply with the new CMMC 2.0 Level 2 requirements, getting a C3PAO third-party assessment and certification completed ahead of the mandated deadlines should be considered a competitive advantage and differentiator.  In fact, the CMMC-AB is considering providing incentives to accelerate C3PAO certifications.

Abacode is a CMMC-AB Certified Registered Provider Organization (RPO).  Our Managed Cybersecurity & Compliance Core Program (MCCP Core) based on the CMMC requirements, will allow your company to implement and comply with the CMMC 2.0 requirements without disrupting your business operations. Contact us at CyberConnect@abacode.com to start your CMMC compliance journey together.