Skip to main content

Things to know about CMMC 2.0

Dec

09

2021

Time to read

Read so far

Written by: 

Samantha Mabey

Time to read

Written by: 

Male,It,Expert,Holding,A,Laptop,To,Check,Their,Work

The Cybersecurity Maturity Model Certification (CMMC) was announced at the beginning of 2020, and since then it’s garnered a lot of attention. CMMC is the program established by the US Department of Defense (DoD) intended to improve security by requiring certification of external contractors – of which there are more than 300,000. With the defense industrial base (DIB) constantly under the threat of cyber warfare, this program is necessary and a matter of national security.

While the purpose of the CMMC remains unchanged, the framework has changed quite a bit with the recently announced CMMC 2.0. Here are a couple key changes:

There are only 3 levels of maturity. Down from 5, the framework has just 3 levels of cybersecurity maturity:

  • Level 1 is Foundational – this is the level that any contractor who is dealing with Federal Contract Information (FCI) will need to achieve. A key difference here is also that organizations will be able to do an annual self-assessment.
  • Level 2 is Advanced – similar to the former Level 3 of “Good Cyber Hygiene”, this level must be satisfied by any organization who deals with Controlled Unclassified Information (CUI). For these assessments, most (there are very few exceptions) will require a third party (C3PAO) assessment for certification.
  • Level 3 is Expert – although still under development, this level will be based on a subset of NIST SP 800-172 and the assessments will be done by the government.

Plans of Action and Milestones (POAMs) will be accepted. Originally POAMs were not accepted because the CMMC framework was intended to be 100% confirming and they would have disadvantaged those who invested the time and money to be secure. With CMMC 2.0 there are limited situations where organizations can create POAMs to achieve certification. But these will need to be fully executed within 180 days.

Although CMMC 2.0 is still in the process of being reviewed, we stick by the recommendation that the time to prepare is now. As soon as CMMC 2.0 goes into effect, those contractors will need to be compliant in order to get awarded the contract. And don’t let the fact that its fewer levels fool you – the requirements are still difficult and will require time, money, and expertise.  Do an audit of your environment to see where you’re currently at, understand where you need to be, and don’t delay going down the path of getting certified.

For more on how to prepare for your certification, check out our CMMC Checklist.

sam-mabey_150x150
Samantha Mabey
Director of Digital Security Solutions Marketing
Samantha Mabey is Director of Digital Security Solutions Marketing at Entrust. Samantha is responsible for driving the marketing, strategy, and communications within the Digital Security Solutions portfolio.
View all of Samantha's Posts
Facebook