August 21, 2024

Countdown to Compliance: Now Is the Time for DoD Contractors to Begin Preparing for CMMC 2.0

Countdown to Compliance: The Urgent Need for DoD Contractors to Prepare for CMMC 2.0  

Coming 2025

The Department of Defense (DoD) published the initial version (version 1.0) of the Cybersecurity Maturity Model Certification (CMMC) in September 2020. CMMC was designed to protect sensitive unclassified information that the DoD shares with its contractors and subcontractors. CMMC 1.0 became effective in November 2020, which marked the beginning of a planned five-year phase-in period.

While the initial standard proved effective in protecting sensitive DOD information, many DOD contractors and subcontractors found it to be cumbersome, confusing, and difficult to implement. In November 2021, the DoD announced CMMC version 2.0, which significantly streamlines and refines CMMC requirements relative to version 1.0. Version 2.0 is expected to significantly ease the burden of CMMC compliance for most DoD contractors and subcontractors.

Based on our in-depth knowledge of CMMC and experience helping clients achieve compliance, we strongly recommend that you begin preparing your organization for version 2.0 now.

This blog post describes when CMMC 2.0 takes effect, what changes are being introduced, how you should begin preparing your organization, and how Tevora can help you comply with this significant update to CMMC.

When Will CMMC 2.0 Take Effect?

CMMC 2.0 is being implemented through the DoD rulemaking process. Under this process, the proposed CMMC 2.0 rules were published in December 2023 for stakeholder comment, and the comment period ended in February 2024. While the final rules and effective date have not yet been published, our experts believe CMMC 2.0 will become effective sometime in the first quarter of 2025. At that point, contractors will need to be CMMC 2.0 compliant to be considered for DoD contracts.

While this may seem like a long way out, based on the magnitude of version 2.0 changes, you need to start preparing now.

What Changes Are Being Introduced with CMMC 2.0?

According to the DoD, “the enhanced ‘CMMC 2.0’ program maintains the program’s original goal of safeguarding sensitive information, while:

  • Simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements,
  • Focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs, and
  • Increasing Department oversight of professional and ethical standards in the assessment ecosystem.”

CMMC 2.0 requires that companies entrusted with national security information implement cybersecurity standards at three progressively advanced levels depending on the type and sensitivity of the information. Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

Key CMMC 2.0 changes relative to version 1.0 include:

  • Reduces number of maturity levels from five to three: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).
  • No longer requires every contractor to obtain third-party certification. Allows Level 1 companies and a subset of Level 2 companies to demonstrate compliance through self-assessments.
  • Aligns certification requirements with widely accepted National Institute of Standards and Technology (NIST) cybersecurity standards and eliminates all maturity processes and CMMC-unique practice requirements.
    • Aligns Level 3 requirements with a subset of the NIST SP 800-172 standard.
    • Aligns Level 2 requirements with the NIST SP 800-171 standard.
    • Aligns Level 1 requirements with a subset of the NIST SP 800-171 standard.
  • Reduces number of practice requirements for all levels except the most basic (Level 1).
  • Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification.
  • Allows waivers to CMMC requirements under certain limited circumstances.

The diagram below provides a summary-level comparison between the key features of CMMC 1.0 and 2.0.

CMMC 1.0 vs. 2.0 Key Feature Comparison

source: CMMC Website

How Should We Begin Preparing for CMMC 2.0?

This section describes the steps we recommend you take now to begin preparing for CMMC 2.0.

Identify Your Level

Identify the CMMC level your organization wants to become certified for, keeping in mind that this will determine which types of DoD contracts you will be eligible to bid on. Below are key considerations for each of the three levels.

Level 1 Self-Assessment:

  • Is required for DoD contractors and subcontractors that will be handling Federal Contract Information (FCI). FCI is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”
  • Is estimated to account for roughly two-thirds of the companies in the Defense Industrial Base (DIB) sector.
  • Requires compliance with 17 NIST SP 800-171 requirements.

Level 2 Certification:

  • Is required for DoD contractors and subcontractors that will be handling Controlled Unclassified Information (CUI). CUI is defined as “Government-created or owned UNCLASSIFIED information that allows for, or requires, safeguarding and dissemination controls in accordance with laws, regulations, or Government-wide policies.  It is sensitive information that does not meet the criteria for classification but must still be protected.”
  • Is estimated to account for roughly one-third of the companies in the Defense Industrial Base (DIB) sector.
  • Requires compliance with all 110 NIST SP 800-171 requirements.

Level 3 Certification:

  • Is required for DoD contractors and subcontractors that are critical to operation of the DoD.
  • Is estimated to account for less than one percent of the companies in the Defense Industrial Base (DIB) sector.
  • Requires compliance with 134 requirements based on NIST SP 800-171 and 800-172 requirements.
  • Requires first achieving Level 2 certification, then engaging directly with the DoD to arrange a Level 3 certification assessment

It’s worth noting that the specific NIST requirements for each level could potentially change as feedback received during the comment period for the proposed CMMC 2.0 rule is incorporated into the final rule’s publication. However, we do not anticipate that there will be significant changes to the final version 2.0 rules relative to the proposed rules.

Determine the Scope of Your CMMC 2.0 Environment

Identify the segments of your environment that will need to comply with CMMC 2.0 requirements. For example, if you want to achieve compliance with the requirements for Level 2, you may have some portions of your systems environment that handle CUI and others that do not. In this case, only the portions that handle CUI will need to comply with CMMC 2.0.

Another significant consideration is to determine if you have subcontractors that handle FCI or CUI, in which case you will need to ensure that they meet the CMMC 2.0 requirements that are required for your level.

Conduct Readiness Assessment

Once you’ve determined your CMMC 2.0 level and scope, review all of the requirements that apply for your chosen level and compare this to your current privacy and security controls environment to determine where you have gaps.

Next, you’ll need to develop a timeline and plan for implementing the remediation steps needed to achieve compliance with your CMMC 2.0 level. For example, you might need to enhance your documentation, controls, policies, and procedures. You might also need to implement improved security tools and techniques to meet CMMC 2.0 requirements.

Additional Resources

Below are additional resources that provide a deeper dive into the topics covered in this blog post:

We Can Help

Tevora is an accredited Cybersecurity Inspector for conducting NIST 800-171 services (Learn more here). We can help you plan for and attain CMMC certification.

If you have questions about CMMC 2.0, or would like help preparing your organization to comply with the new CMMC framework, just give us a call at (833) 292-1609 or email us at sales@tevora.com.