What’s new in CMMC 2.0?
Tom kicked off the discussion around CMMC 2.0 with the biggest and most noticeable change – condensing the five maturity levels down to just three. Instead of five levels of progressive security maturity that contractors were expected to adhere to (depending on the type of contract and the information they would have access to), contractors will now only have to deal with three progressively more complex levels of security. To find out more about the existing five levels of security maturity, you can take a quick read of our previous blog on CMMC 1.0. For the purposes of this talk, Tom jumped right in and laid out the new levels for us:
CMMC Level 1
Now also known as the “Foundational” level, this remains largely unchanged from CMMC 1.0. Contractors will still have to submit annual self-assessments and certifications that speak to their competence in regard to handling data. They will also still be expected to use the same security controls derived from FAR 52.204-21 that represent the bare minimum requirements for the handling of federal contract information.
CMMC Level 2
Now known as “Advanced”, this level is based on level 3 from the existing CMMC 1.0 framework. Contractors will be filtered into two main categories – “prioritized acquisitions” and “non-prioritized acquisitions”. The former could involve the handling of classified information relating to weapons systems, for instance, while the latter will relate to less sensitive issues such as uniforms and other basic provisions. Depending on which category of the “Advanced” level a contractor falls into, it will either have to have to undergo an independent third-party assessment every three years or carry out an annual self-assessment and certification.
CMMC Level 3
Level 3, known as “Expert” level, will effectively combine and replace levels 4 and 5 of CMMC 1.0. Acquisitions at this level will require government-led assessments, compliance with more than a hundred different controls, as well as compliance with all of the controls in the National Institute of Standards and Technology’s (NIST) SP 800-172. The introduction of NIST standards is most likely related to the Biden administration’s push to involve NIST’s role in federal cybersecurity more generally.