The Three(3) Levels of CMMC 2.0

What is CMMC 2.0 and How Does it Differ From 1.0?

The Department of Defense announced its CMMC initiative in mid-2019, and CMMC 1.0 was released in early 2020. At that point, the Department of Defense set out on an ambitious five-year plan to have every one of the hundreds of thousands of companies doing DoD work certified by outside assessors at their appropriate CMMC level.

While the need for improved cybersecurity across the DIB was undeniable, the significant challenge of the planned rollout became clear quickly. Hundreds of public comments from small to midsize defense contractors (SMBs) were sent to the Department of Defense, expressing concerns about the CMMC framework’s complexity, as well as the costs of compliance and third-party certification.

Following congressional hearings, the Department of Defense released its much-revised CMMC 2.0 in November 2021. The new program aimed to lower costs for small businesses while also aligning cybersecurity requirements with other federal regulations.

CMMC 2.0 differs from 1.0 in the following key ways:

• It lowers the number of CMMC levels from five to three. The new CMMC 2.0 levels are: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).
• 2.0 dropped 20 security requirements for the new CMMC Level 2., making it now in complete alignment with the 110 security controls of NIST SP 800-171. The new Level 2 certification will indicate that an organization is able to securely store and share Controlled Unclassified Information (CUI).
• Whereas POAMs were not allowed in 1.0, CMMC 2.0 will allow limited use of Plans of Actions and Milestones (POAMs) that can be submitted in lieu of meeting certain non-critical security controls.
• Waivers of certification will be permitted in very limited circumstances.

POAMs and Waivers

As previously stated, CMMC 2.0 will allow some defense contractors to self-certify their cybersecurity compliance rather than having to submit to third-party audits as required by CMMC 1.0. CMMC 2.0 will also allow limited use of Plans of Actions and Milestones (POAMs), which can be submitted in lieu of meeting certain non-critical security controls, unlike the original framework. Certification waivers will also be permitted in very limited circumstances.

What are the 3 levels of CMMC 2.0?

• Level 1 (Foundational) only applies to companies that focus on the protection of FCI. It is comparable to the old CMMC Level 1. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. These controls look to protect covered contractor information systems, limit access to authorized users.
• Level 2 (Advanced) is for companies working with CUI. It is comparable to the old CMMC Level 3.
  CMMC 2.0 Level 2 (Advanced) requirements will mirror NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC will be eliminated. Instead, Level 2 aligns with the 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI. Accordingly, the 20 requirements in the old CMMC Level 3 that the DoD had imposed were dropped, meaning that the new Level 2 (Advanced) is in complete alignment with NIST SP 800-171.
• Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. It is comparable to the old CMMC Level 5. The DoD is still determining the specific security requirements for the Level 3 (Expert), but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.

The new CMMC cybersecurity standards will help the Department of Defense defend against cyberattacks that threaten US military, technological, and commercial advantages. However, it is clear that the Department of Defense cannot wait for the implementation of CMMC 2.0 to improve cybersecurity in the Defense Industrial Base. While the new CMMC 2.0 framework is going through the federal rulemaking process, federal cybersecurity regulations governing defense contractors are being enforced more aggressively.