The Cybersecurity Maturity Model Certification (CMMC) was announced at the beginning of 2020, and since then it’s garnered a lot of attention. CMMC is the program established by the US Department of Defense (DoD) intended to improve security by requiring certification of external contractors – of which there are more than 300,000. With the defense industrial base (DIB) constantly under the threat of cyber warfare, this program is necessary and a matter of national security.

While the purpose of the CMMC remains unchanged, the framework has changed quite a bit with the recently announced CMMC 2.0. Here are a couple key changes:

There are only 3 levels of maturity. Down from 5, the framework has just 3 levels of cybersecurity maturity:

  • Level 1 is Foundational – this is the level that any contractor who is dealing with Federal Contract Information (FCI) will need to achieve. A key difference here is also that organizations will be able to do an annual self-assessment.
  • Level 2 is Advanced – similar to the former Level 3 of “Good Cyber Hygiene”, this level must be satisfied by any organization who deals with Controlled Unclassified Information (CUI). For these assessments, most (there are very few exceptions) will require a third party (C3PAO) assessment for certification.
  • Level 3 is Expert – although still under development, this level will be based on a subset of NIST SP 800-172 and the assessments will be done by the government.

Plans of Action and Milestones (POAMs) will be accepted. Originally POAMs were not accepted because the CMMC framework was intended to be 100% confirming and they would have disadvantaged those who invested the time and money to be secure. With CMMC 2.0 there are limited situations where organizations can create POAMs to achieve certification. But these will need to be fully executed within 180 days.

Although CMMC 2.0 is still in the process of being reviewed, we stick by the recommendation that the time to prepare is now. As soon as CMMC 2.0 goes into effect, those contractors will need to be compliant in order to get awarded the contract. And don’t let the fact that its fewer levels fool you – the requirements are still difficult and will require time, money, and expertise.  Do an audit of your environment to see where you’re currently at, understand where you need to be, and don’t delay going down the path of getting certified.

For more on how to prepare for your certification, check out our CMMC Checklist.