The CMMC 2.0 framework was not publicly accessible as of November 29th, 2021. Although regulations are anticipated to be publicly disclosed soon – accompanied by a 60-day window for public feedback – the adjudicative procedure may be stretched into the Fall of 2023.
The good news is that the CMMC for DoD contractors has released some information, mainly via the website for the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) and a notification that was released on the 17th. Following these sources, the following are some critical distinctions between CMMC 2.0 and 1.02:
Scaled-Back Level System
Government agencies were assessed according to five levels of security under CMMC 1.02, with levels 1-3 requiring “Basic,” “Intermediate,” and “Good” cyber hygiene and level 5 requiring an “Advanced” security program. Levels two and four are eliminated by CMMC 2.0, keeping only three grades that closely equate to Level 1, Level 3, and Level 5.
Like the previous Level 1, Level 1 “Foundational” will feature 17 “basic” security measures taken from FAR clause 52.204-21.
Level 2 “Advanced” will contain the 110 parameters in the National Institute of Standards and Technology (NIST) special publication (SP) 800-171, just like the original Level 3 did. However, 20 more regulations have been dropped, leaving only security measures drawn from NIST.
Little was revealed about the enhanced cybersecurity measures at the initial Level 5 at Level 3 “Expert.” The situation is simpler for Level 3 under CMMC 2.0: firms will be expected to adhere to a portion of controls drawn from NIST SP 800-172 in supplementary to the measures from NIST SP 800-171.
In the end, any “CMMC specific security techniques” seem to have been removed from CMMC 2.0, precisely mirroring the fundamental structure of current FAR and NIST regulations. Additionally, unlike in earlier iterations of CMMC, businesses will no longer be assessed for “Process Maturity” or “Institutionalization.”
Reduced Need for Third-Party Evaluation
Under CMMC 1.02, regardless of whether they maintained controlled unclassified information (CUI) deemed crucial to national security, all defense contractors were required to submit to evaluation by a third-party assessment organization (C3PAO) once every three years. This criterion has been significantly modified under CMMC 2.0.
140,000 of the approximately 220,000 enterprises in the defense industrial base will fall within Level 1 of CMMC 2.0, necessitating merely a yearly self-assessment under the supervision of a senior-level executive. The same will apply to Level 2 enterprises, or roughly half of them, that do not have “important” CUI.
Companies at Level 3 will be subject to a triennial government evaluation. However, specifics have not yet been released. The remaining 40,000 Level 2 businesses will still be subject to third-party assessment once every three years.
Exceptions and Leniencies that are Expanded
Companies have to be compliant or lose eligibility under CMMC 1.02’s simple contract award requirements. The DoD will be more forgiving under CMMC 2.0, issuing contracts to select firms without CMMC implementation as long as they submit a Plan of Action and Milestones (POA&M) and consent to follow a strict timeline.
A restricted waiver procedure for CMMC DFARS will also be included in CMMC 2.0, allowing firms to forgo some CMMC criteria under certain situations. These concessions would probably not cover mission-critical security controls, but many specifics about the procedure and its reach have not yet been made clear. A waiver procedure, however, constitutes a significant divergence from CMMC 1.02.