An Early Look at CMMC 2.0

Update: This article has been updated to reflect the publishing of the CMMC Final Rule (CMMC 2.0).

The Cybersecurity Maturity Model Certification (CMMC) is a standard developed by the Department of Defense (DoD) to protect information in the Defense Industrial Base (DIB). The CMMC applies to any organization in the DoD supply chain, including contractors and subcontractors. It is designed to protect these two types of data:

Federal Contract Information (FCI): FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.

Controlled Unclassified Information (CUI): CUI is defined as information that does not carry classified status but needs to be safeguarded due to government policies and laws or ordinances. Examples of CUI relevant to the CMMC include:

• Data on defense, nuclear, and natural resources infrastructures
• Financial records
• International agreements
• Global and domestic defense data
• Provisional and statistical data from governmental agencies

In October 2024, the DoD published the CMMC Final Rule. The rule will be effective on December 16, 2024. The DoD’s follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule change to contractually implement the CMMC Program will be published in early to mid-2025.  Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts.  More information on the timing of the proposed DFARS rule can be found here.

Here are some significant changes from the original CMMC and CMMC 2.0:

Three Certification Levels

The number of certification levels is being reduced from five to three. We are still waiting on the specifics of the certification process for each level.

Level 1: Foundational

Organizations can conduct an annual self-assessment to show Level 1 compliance. They will need to meet the requirements of 17 practices that represent the safeguarding requirements of the Federal Acquisition Regulation (FAR) 52.204.21.

Level 1 compliance will be an appropriate target for organizations that handle FCI, but not CUI.

Level 2: Advanced

This certification level will be split into two groups. Organizations that handle CUI will need to work with a C3PAO to complete certification. Those organizations will need re-certification every three years. Organizations that don’t work with CUI will be able to do an annual self-assessment.

All organizations seeking Level 2 certification need to prove they implemented the requirements of NIST SP 800-171 (110 practices). Level 2 will likely be the most common.

Level 3: Expert

The most rigorous level of certification. Level 3 should be the target for organizations accessing CUI for high-priority DoD projects. For Level 3 certification organizations must meet all the requirements found in NIST 800-172. Assessments for Level 3 certification will be government-led and need to be completed every three years.

Plans of Action and Milestones Now Allowed with Limitations

The original CMMC did not allow for Plans of Action and Milestones (POA&M), which are used to document gaps and details on how the gaps will be addressed. Under CMMC 2.0, contractors can use POA&Ms to achieve certification if specific deadlines for mitigating gaps are included, but with specific limitations and requirements. The key aspects of POA&Ms in the new CMMC proposed rule are as follows:

• POA&Ms are allowed under the CMMC for certain requirements and for a limited time. Specifically, all POA&Ms must be closed within 180 days of the initial assessment.
• POA&Ms are not permitted for Level 1 assessments in the CMMC framework. However, they are allowed for Level 2 assessments under specific conditions.
• For CMMC Level 2, POA&Ms are allowed to comply with requirements not met at the time of assessment. However, there are restrictions, such as not being permitted for a number of controls and being allowed only if a contractor achieves a particular assessment score.
• Organizations seeking CMMC certification do not need a perfect score, but they need to achieve a minimum of 80% or 88 out of 110. Only 1-point controls can be considered for POA&Ms, but not all 1-point controls are eligible for this.

CMMC 2.0 Control Domains

There are 14 control (aka practice) domains in CMMC 2.0, down from 17 in the original. Each domain is constructed of controls that describe processes or practices your company will need to implement. Only a few of these areas are necessary for Level 1 compliance. They are all required to obtain a Level 2 or 3 certification.

1. Access Control
2. Audit and Accountability
3. Awareness and Training
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection  
9. Personnel Security  
10. Physical Protection
11. Risk Management
12. Security Assessment
13. Systems and Communications Protection
14. System and Information Integrity

Preparing for CMMC 2.0 Certification

Here are some actions your organization can take now to prepare for a successful CMMC 2.0 assessment.

Assess Your Data

Do your DoD contracts involve working with FCI, CUI, or both? The type of information you will handle will determine if you need to go the Level 1,2, or 3 route.

Prepare Your Documentation

Be sure all your cybersecurity policies and procedures are documented, have been recently reviewed, and would hold up the scrutiny of an audit.

Conduct the Appropriate Gap Assessment

When you’ve determined what certification level is right for your business, conduct a gap assessment against the following corresponding standards:

Level 1 – FAR

Level 2 – NIST 800-171

Level 3 – NIST 800-172

Remediate the Gaps

Take action on the discoveries from the gap assessment. If you create any POA&Ms, be sure they document your remediation plans, identify the resources required, and establish milestones and completion dates.

For more in-depth information on CMMC, listen to our CMMC: The Requirements, Challenges, and Benefits podcast.

CompliancePoint has a team of cybersecurity professionals that can guide your organization through every step of the CMMC certification process. Contact us at connect@compliancepoint.com to learn more about how we can help.