The U.S. Department of Defense just released CMMC 2.0.
The evolution of CMMC comes with significant changes.
A couple of highlights include:
The model is streamlined from 5 levels to 3 levels (essentially removing levels 2 & 4).
CMMC 2.0 focuses on NIST standards. Per the DoD website:
Level 1 in CMMC 2.0 (the “Foundational” level) includes 17 of the NIST 800-171 practices.
Level 2 in CMMC 2.0 (the “Advanced” level) will be the equivalent to the NIST SP 800-171. The extra 20 practices introduced in the former CMMC level 3 are removed.
Level 3 in CMMC 2.0 (the “Expert” level) (previously level 5) is currently under development but will be based on a subset of NIST SP 800-172 requirements.
Removing the requirement that all DoD contractors get certified by a third-party assessor. Per the DoD website:
“DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store, or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.
Once CMMC 2.0 is implemented, self-assessments, associated with Level 1, and a subset of Level 2 programs, will be required on an annual basis. Third-party and government-led assessments, associated with some Level 2 and all Level 3 programs, will be required on a triennial basis.”
These changes to CMMC will be implemented through the rulemaking process, which will include a public comment period. Compliance with CMMC will be required once the rules go into effect. The current CMMC piloting effects are being halted, and DoD indicated they will not include a CMMC requirement in any contracts while the rulemaking efforts are ongoing.