Last year, the U.S. Department of Defense (DoD) completed its internal review of the Cybersecurity Maturity Model Certification (CMMC). Several significant changes have been made, and all DoD contractors need to be aware of them.

What’s the difference between CMMC and CMMC “2.0”? Let’s take a look.

What is CMMC 2.0?

The DoD’s Cybersecurity Maturity Model Certification 2.0 (CMMC) is the new standard for DoD contracts that takes the place of the section of NIST 800-171 dealing with compliance for Controlled Unclassified Information (CUI). CMMC 2.0 has 3 levels. Level 1 has 17 practices, allows self-assessments, and is primarily targeted at protecting Federal Contract Information (FCI). Level 2 has 110 practices, may or may not require a third-party assessment, and is targeted at protecting CUI. Level 3 is based on NIST 800-172 and is only required for the highest priority, most critical defense programs.

As of right now, CMMC 2.0 mirrors NIST 800-171’s 110 security practices for most government contractors working with controlled unclassified information (CUI). The DoD specifies the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.

What has changed between CMMC and CMMC 2.0?

The most notable change is that the original five levels of CMMC have been condensed into three. Here is the complete breakdown of all key differences between CMMC and CMMC 2.0:

• CMMC now has three levels (instead of five).
• Annual self-assessments are allowed for Level 1 and a portion of Level 2.
• An annual affirmation by company leadership is required for self-assessments.
• CMMC 2.0 Level 1 has 17 practices.
• Most government contractors working with CUI are at the new CMMC 2.0 Level 2.
• CMMC 2.0 Level 2 may require a third-party assessment.
• CMMC 2.0 Level 2 has 110 practices and mirrors NIST 800-171.
• Cybersecurity maturity processes are no longer required.
• CMMC 2.0 Level 3 is based on a subset of NIST 800-172.
• Level 3 is only required for the highest priority, most critical defense programs and will require government-led assessments.
• POAMs are allowed but are strictly time constrained and can only be used for a subset of practices.
• CMMC 2.0 has now officially been implemented, but there may be revisions in the very near future.

While the DoD is not asking small to medium-sized businesses to implement Fort Knox’s level of security, they are requiring adequate security and good cyber hygiene. That’s what the Cybersecurity Maturity Model Certification is all about. And that’s exactly why you should turn to the experts for help in adopting it. That’s where we come in.

Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Concentrate on your VISION…We’ll handle the TECHNOLOGY!