On the surface, the new CMMC 2.0 appears to be a complete overhaul of the original CMMC. Looking at it more closely, the changes are less drastic than they seem. The biggest change is that the five levels of CMMC 1.02 have been condensed into three levels in CMMC 2.0; CMMC 1.02 Levels 2 and 4 have been eliminated.
The New Level 1: “Foundational”
In CMMC 2.0, Level 1 will ensure basic safeguarding controls. Level 1 has 17 practices and will be required to complete an annual self-assessment.
This level only applies to organizations that are focused on protecting FCI. This level is designed to protect contractor information systems and limit access to only authorized users.
The New Level 2: “Advanced”
Level 2 is for companies that deal with Controlled Unclassified Information. It compares most closely with CMMC 1.02 Level 3. CMMC 2.0 dropped 20 security requirements for the new CMMC Level 2, and now it completely overlaps with the 110 security controls included in the National Institute of Technology and Standards SP 800-171. The twenty additional DoD requirements were eliminated. The new Level 2 certification ensures that your organization is able to store and share CUI safely and securely.
Level 2 Will Have Two Groups
Under CMMC 2.0, CMMC Level 2 will be divided into two groups: one for “Critical to National Security Information”, and a second that isn’t deemed critical. The group rated “Critical” will be subject to third-party assessments every three years. Non-critical groups may be able to self-assess, in the same fashion as Level 1.
The New Level 3: “Expert”
Designed for companies that work on CUI with the DoD’s highest priority programs, Level 3 aligns with the more than 110 practices and controls of NIST SP 800-171 and 800-172. This expert group is certified to prevent Advanced Persistent Threats (APTs). These assessments will be government-led and performed tri-annually.
The CMMC 2.0 Timeline
It appears that CMMC 2.0 with have an interim rule by May 2023, with a target of beginning to be included in contracts 60 days later, in July 2023. While the full phasing in of updated contracts is expected to roll out between 2023 and 2026, it has been recommended that businesses that handle CUI be prepared to meet the new CMMC 2.0 Level 2 requirements as soon as July 2023.
The Cost of Implementation
While some companies are worried that the cost of CMMC compliance will rise with the new system, actual costs are projected to be significantly lower. This is because requirements will be streamlined, third-party assessments will be consistent and self-assessments for Level 1 and some Level 2 contractors will all lower overhead.
The new CMMC cybersecurity system will help the United States to be better prepared to defend against cyberattacks while costing contractors less money to implement. The slimmed Level system will create a workforce that is more prepared and in compliance with CMMC, NIST, and DoD protocols. If you are a contractor who would like to have DoD contracts going forward, you can prepare for the CMMC 2.0 implementation by following the NIST compliance path right away.