CMMC 2.0
Cybersecurity Maturity Model Certification (CMMC) 2.0
Talk to a CMMC ExpertCMMC 2.0: Summary of Changes and their Impact
On November 4th, 2021, the Office of the Under Secretary of Defense Acquisition & Sustainment released a major overhaul of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program.
Source: Chief Information Officer - U.S. Department of Defense
The Department of Defense (DoD) revised the CMMC program to promote adoption of cybersecurity practices in small and medium businesses while setting priorities for the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the DoD.
Highlights of the Changes Associated with CMMC 2.0
1. CMMC 1.0 Levels 2 & 4 removed to create a more streamlined maturity model.
2. Level 2 (formerly Level 3) exactly aligns to NIST SP 800-171 Rev. 2 and removed the 20 additional CMMC-specific controls.
3. CMMC Third Party Assessor Organization (C3PAO) Assessments are no longer required for Level 1 or a yet to be specified subset of Level 2. Instead, these assessments have been replaced with the existing SPRS Self-Attestation method currently in use by DoD contractors.
4. Reduced controls for Level 1 Self Attestation from being against the full NIST SP 800-171 set of 110 controls in accordance with DFARS Clause 252.204-7012 down to just the 17 controls associated with Level 1.
5. Level 3 Assessments (formerly Level 5) will now be led by government officials instead of C3PAOs.
6. Plan of Actions and Milestones (POA&Ms) that were prohibited in CMMC 1.0 are allowed in a “limited” fashion in CMMC 2.0.
7. A waiver system added for exemption from CMMC Certification.
8. Separately, the DOJ announced last month the Civil Cyber-Fraud Initiative to pursue firms who falsify self-attestations under the False Claims Act, including extensive fines and penalties (up to 3x damages suffered by the government) with whistleblower payments of 15-30%.
from a Department of Justice press release
Why Gray Analytics for Your CMMC Support
Gray Analytics is an industry leader assisting federal agencies and contractors secure their IT Infrastructures in accordance with today’s regulatory environment including compliance with FAR and DFAR contractual obligations, SPRS attestations, and the NIST families of controls.
Our team is dedicated to staying up to date and knowledgeable with the Department of Defense’s (DoD’s) latest acquisition policies, and members of our team worked with the DoD on the development of the Cybersecurity Maturity Model Certification (CMMC) to meet the rapidly changing challenges in today’s cybersecurity landscape.
Further, Gray Analytics’ deep experience and industry knowledge will help you prepare for the pending CMMC assessments. Our team has the certified staff necessary to help keep any firm in compliance with the complex and ever-shifting regulatory environment. As a result, we help ensure a smooth adoption of changing controls and minimize the risk of lost contracts through non-compliance.
Gray Analytics is authorized as a Registered Professional Organization (RPO) by the CMMC Accreditation Body.
We add structure and clarity to your compliance challenges, eliminating the gray areas from the DoD’s acquisition policies so that you can focus on identifying and mitigating any gaps to compliance in a timely and efficient manner.