On November 4, 2021, the Department of Defense (DoD) unveiled changes to the Cybersecurity Maturity Model Certification (CMMC) standard.
Referred to as CMMC 2.0, the updated program is a result of an internal assessment led by the DoD after defense contractors and subcontractors pushed back against initial requirements.
CMMC 2.0 simplifies the standard and eases or outright eliminates some of the requirements.
What are CMMC 2.0’s biggest changes?
Compared to the original proposed CMMC standard, CMMC 2.0 makes some significant changes:
- Eliminates CMMC-only controls and focuses on NIST cybersecurity standards
- Eliminates maturity processes
- Allows self-assessments for contracts without information critical to national security
- Allows the use of POA&Ms for select requirements (with certain caveats)
Let’s dive deeper into what these changes mean for contractors and subcontractors.
1. CMMC 2.0 puts the focus on NIST requirements
The National Institute of Standards and Technology (NIST) created Special Publication 800-171 to set standards in how businesses can protect controlled unclassified information (CUI) in nonfederal systems and organizations.
CMMC 2.0 puts forth NIST SP 800-171 as the main set of requirements businesses at level two of acquisition will now need to meet in order to comply with the CMMC standard (level three will need to follow NIST SP 800-172). This means organizations can deprioritize the requirements from CMMC 1.0 that are CMMC-specific and focus on NIST.
2. CMMC 2.0 eliminates maturity processes
CMMC 1.0 required businesses to meet specific practices, document how they were meeting them and provide evidence they were doing so. CMMC 2.0 eliminates the requirement of process documentation. You no longer have to create a document that specifies who has oversight over a control, how you’ve budgeted for it, what the output of the control is, etc.
You will still need to provide evidence that you’ve implemented the controls, but specifically documenting policy and procedures for how controls are implemented is no longer required.
Should you skip it? Not necessarily. By documenting your processes, your business can identify and close gaps in each process, standardize the process and repeat it consistently, and ensure new employees who come into the organization can easily learn the process. Instead of introducing unnecessary variability in your processes, you’re actively reducing the risks you’re taking.
3. CMMC 2.0 lets you do a self-assessment in certain cases
Instead of undergoing a third-party assessment, businesses will be able to do a self-assessment if they do not handle CUI critical to national security. (Note that the DoD still needs to define what CUI will fall under this.)
While organizations have been able to perform self-assessments in the past, the expectation is that under CMMC 2.0, the self-assessment will now end in an attestation from a senior executive in the business that the self-assessment is complete and accurate. If a data breach or cyber incident occurs afterward, and the DoD concludes that the organization misrepresented itself in the self-assessment, there could be significant penalties and damages involved, such as three times the value of the contract.
4. CMMC 2.0 lets you use POA&Ms for some requirements
A Plan of Action and Milestones (POA&M) lets businesses who don’t meet every single requirement outline the corrective actions they will take to meet those requirements. In the past, businesses have often created POA&Ms but then not actually followed through on taking the corrective actions, and the DoD recognizes this. CMMC 2.0 will allow businesses to use POA&Ms, but with two big caveats. The first is that a number of requirements will be nonnegotiable and unable to be added to a POA&M. The second is that businesses will need to achieve a specific score in order to be eligible to use a POA&M.
What if you’ve already begun implementing CMMC 1.0?
First, it’s important to acknowledge that the announcement of CMMC 2.0 is really an announcement of the DoD’s strategic intent. It still needs to go through the formal rulemaking process, which the DOD has stated could take 9-24 months.
However, if you’ve already begun implementing CMMC, there’s no reason to stop. Even though it’s been streamlined with 2.0, it still could take you two years to get everything in place. What you can do is identify the differences between 1.0 and 2.0 and make the necessary pivots. For example, you can identify and deprioritize the CMMC-only controls and focus on implementing the NIST ones.
What if you haven’t started yet?
If you haven’t gotten started with CMMC, now is the right time. Begin by focusing on NIST SP 800-171, Revision 2. The 14 controls families within are organized by basic and derived security requirements. Implement the basic ones first before moving on to the derived ones.
Once you’ve implemented CMMC 2.0’s requirements, you can work with a Registered Provider Organization (RPO) to ensure you’re prepared for the assessment. An RPO will perform a baseline assessment and create a POA&M that identifies the corrective actions you need to take. They can also help you carry out those corrective actions, implement new security safeguards and manage your secure environment.
Even if you’re not undergoing a third-party assessment, having an RPO verify you’ve implemented controls correctly, identify any gaps and create your POA&M will help you significantly when it comes to your self-assessment.
Click here to learn more about Wipfli’s RPO services.