Cybersecurity Maturity Model Certification (CMMC) 2.0
CMMC 2.0: Summary of Changes and their Impact
What is CMMC 2.0 and how is it different than CMMC 1.0?
On November 4th, 2021, a Major Overhaul of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program was released by the Office of the Under Secretary of Defense Acquisition & Sustainment.
The Department of Defense (DoD) has revised the CMMC program to promote adoption of cybersecurity practices in small and medium businesses while setting priorities for the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the DoD.
Highlights of the Changes Associated with CMMC 2.0
- CMMC 1.0 Levels 2 & 4 have been removed to create a more streamlined maturity model.
- Level 2 (formerly Level 3) exactly aligns to NIST SP 800-171 Rev. 2 and removed the 20 additional CMMC-specific controls.
- CMMC Third Party Assessor Organization (C3PAO) Assessments are no longer required for Level 1 or a yet to be specified subset of Level 2. This has been replaced with the existing SPRS Self-Attestation method currently in use by DoD contractors.
- Reduced controls for Level 1 Self Attestation from being against the full NIST SP 800-171 set of 110 controls in accordance with DFARS Clause 252.204-7012 down to just the 17 controls associated with Level 1.
- Level 3 Assessments (formerly Level 5) will now be led by government officials instead of C3PAOs.
- Plan of Actions and Milestones (POA&Ms) that were prohibited in CMMC 1.0 are allowed in a “limited” fashion in CMMC 2.0.
- A waiver system has been added for exemption from CMMC Certification.
- Separately, the Civil Cyber-Fraud Initiative was announced last month by the DOJ to pursue firms who falsify self-attestations under the False Claims Act, including extensive fines and penalties (up to 3x damages suffered by the government) with whistleblower payments of 15-30%.
“We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk.”
– Deputy Attorney General Lisa O. Monaco
Why Gray Analytics
Gray Analytics is an industry leader assisting federal agencies and contractors secure their IT Infrastructures in accordance with today’s regulatory environment including compliance with FAR and DFAR contractual obligations, SPRS attestations, and the NIST families of controls.
Our team is dedicated to staying up to date and knowledgeable with the Department of Defense’s (DoD’s) latest acquisition policies, and members of our team worked with the DoD on the development of the Cybersecurity Maturity Model Certification (CMMC) to meet the rapidly changing challenges in today’s cybersecurity landscape.
Gray Analytics’ deep experience and industry knowledge will help you prepare for the pending CMMC assessments. Our team has the certified staff necessary to help keep any firm in compliance with the complex and ever-shifting regulatory environment. This helps to ensure a smooth adoption of changing controls and minimizes the risk of lost contracts through non-compliance.
- Gray Analytics is authorized as a Registered Professional Organization (RPO) by the CMMC Accreditation Body.
- We add structure and clarity to your compliance challenges, eliminating the gray areas from the DoD’s acquisition policies so that you can focus on identifying and mitigating any gaps to compliance in a timely and efficient manner.