CMMC 2.0

Nov 6

What changed?

The CMMC levels have been streamlined from five to three.
Annual self-assessments will be required at the new level 1 and for select programs at the new level 2.
The results of the annual self-assessment at the new level 1 must be uploaded to SPRS with an annual affirmation by a senior company official.
Triannual third-party assessments will be required for critical national security information at the new level 2.
Third-party assessments at level 3 will be led by the government.
Plans of Action & Milestones (POA&Ms) are allowed under certain limited circumstances:
- Highest weighted requirements cannot be on POA&M list.
- DoD will establish a minimum score requirement to support certification with POA&Ms.
Waivers to CMMC requirements are allowed under certain limited circumstances.
The current CMMC Piloting efforts are suspended.
The timeline for CMMC 2.0 depends on the rulemaking process; anticipated within the next 9-24 months.
Project Spectrum has been developed by the DoD to help small/medium-sized businesses in the defense industrial base (DIB) to assess their cyber readiness, and begin adopting sound cybersecurity practices in a cost-effective manner.
Incentives may be made available to contractors who voluntarily obtain a CMMC certification in the interim period (within the anticipated 9-24 months).

What did not change?

What does this mean to DIB companies?

Prepare now! There is less time to prepare; from the initial 5 years to 9-24 months.
- CMMC 2.0 will become a contract requirement once rulemaking is completed.
The CMMC security requirements did not change.
The cost for CMMC is significantly determined by the CMMC security requirements. Depending on the type of CUI a DIB company stores, processes or transmits, they may or may not see a difference in CMMC cost.

In conclusion, there are changes to the CMMC program but the fundamentals of the CMMC model remains the same. The time to prepare is now.