CMMC 2.0 streamlines requirements for contractors

By Hollie Kapos, Corporate Counsel

In September 2020, DoD published an interim rule to implement CMMC, which became effective November 30, 2020. The DoD received over 850 public comments in response, citing concerns with cost, trust in the assessment ecosystem, and alignment to other federal requirements.

Accordingly, it began an internal assessment of CMMC policy and implementation and, as a result, DoD has just announced CMMC 2.0, which makes several substantial changes from the original model.

Levels streamlined in CMMC 2.0

Levels 2 and 4 have been removed, so there are now only three instead of five levels of compliance as follows:

• CMMC Level 1, Foundational – Requires implementation of the 17 controls from NIST SP 800-171 enumerated in FAR 52.204-21 and submission of an annual self-assessment to the DoD through the Supplier Performance Risk System (SPRS).  
• CMMC Level 2, Advanced – Requires implementation of the 110 controls in NIST SP 800-171 and submission of an annual self-assessment or, if required to handle “critical national security information” (currently undefined), a triennial independent assessment performed by a CMMC Third Party Assessment Organization (C3PAO). 
• CMMC Level 3, Expert – Requires implementation of the 110 controls in NIST SP 800-171 and a subset of controls from NIST SP 800-172 and a triennial government-led assessment. Requirements for level 3 are still being developed.

Additional changes

CMMC-unique practices and all maturity processes have been removed. The new levels will align to NIST practices reducing the number of controls formerly required under the initial framework. For example, Level 2 now only has 110 practices, down 20 from the prior Level 3 requirements. 

Under some circumstances, Plans of Action & Milestones (POA&Ms) and waivers may be allowed, providing greater flexibility than the prior model and allowing for certification even where some gaps remain in a contractor’s compliance with the controls. 

Effect on contractors

CMMC 2.0 will be implemented through the rulemaking process, including a public comment period, which is likely to take several months. In the meantime, current CMMC pilot programs will be suspended and the CMMC requirement will not be included in any DoD solicitation providing a bit of a reprieve in the timeline for compliance.

This will, undoubtedly, also have a substantial impact on C3PAOs, as CMMC 2.0 will likely require a change in their approach to audits, reducing the number to be performed and lessening the level of effort (and cost?) required to perform them.

Regardless of where CMMC 2.0 ultimately lands, cyberattacks are an evolving threat to the defense industrial base community and contractors must remain vigilant and continue enhancing their cyber practices. 

Keep on top of IT trends in government. Subscribe to immixGroup’s Government Sales Inside blog now!