CMMC Model 2.0 is a more streamlined cybersecurity requirement and is designed to lower costs for smaller companies the DoD relies on to provide critical products and services used to defend the country. Most defense contractors will be allowed to self-assess their cybersecurity implementation instead of going through expensive certification assessments.
- Lowers costs for smaller companies by drastically reducing the number of organizations that will need an expensive third-party certification
- Reduces the levels within the program from five to three (CMMC Model 1.0 Levels 2 and 4 have been eliminated)
- Allows companies at Level 1, and a subset of companies at Level 2, to self-assess
- Reduces the number of requirements in each level to align with current standards
- Makes earning certification easier by allowing companies to create timelines to address deficiencies instead of failing to earn certification by achieving a perfect score
- Allows certification requirements to be based on the sensitivity of information that flows down to subcontractors
- Increases the oversight of the assessment program
Program details, including the critical scoping guides required to create assessor training programs, will be released soon, according to the DoD. The current provisional assessment program has been suspended, and the announced changes indicate the CMMC implementation timeline may even be accelerated from the originally planned five-year rollout.
CMMC Levels and Requirements
Level 1 – Foundational. Includes the original 17 CMMC practices for contractors that do not process, store, or transmit Controlled Unclassified Information (CUI), but who do work with Federal Contract Information (FCI) that is not intended for public access. Contractors needing to comply with Level 1 will be allowed to self-assess and attest to their cybersecurity implementation. The DoD will utilize an audit program to validate compliance. Falsely attesting may result in False Claims Act lawsuits, which may be brought by whistleblowers working for defense contractors.
Level 2 – Advanced. Replaces the original CMMC Level 3 and is the minimum requirement for contractors that process, store, or transmit CUI. Level 2 now requires just the 110 practices defined in NIST Special Publication 800-171 and eliminates the 20 additional requirements in the original CMMC Level 3. Contractors will be required to pass a third-party assessment every three years, except for “select programs” (not yet defined) that will allow self-assessments. Previously, CMMC required a perfect score to earn certification. CMMC 2.0 allows companies “under certain limited circumstances” to create Plans of Actions & Milestones (POA&Ms) with strict timelines to achieve certification without a perfect score. Minimum scores will be required, and critical practices will be required to be completed and not addressed through POA&Ms.
Level 3 – Expert. Replaces the original CMMC Level 5 and will be required for contractors with extremely sensitive CUI. This level will require the 110 practices defined in NIST Special Publication 800-171 and selected (to be announced) practices in NIST Special Publication 800-172, down from the 171 practices in the original CMMC Level 5. Contractors will be required to pass a government assessment every three years.