« Return to Newsletter

Featured Article: Goodbye CMMC 1.0, Hello CMMC 2.0

November 11, 2021

Last week, the Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. The nascent cybersecurity compliance program came under criticism from the defense industrial base (DIB) because of its extensive requirements and onerous penalties.

The program changes come as a result of an extensive internal review which was prompted by over 850 public comments regarding the CMMC during the public comment period in the Fall of 2020 in addition to concerns raised by Congress.

The CMMC Accreditation Body (AB) held a Townhall this week to discuss how the changes will impact the process of certifying assessors, training requirements, and more. This Townhall featured Deputy Assistant Secretary of Defense Jesse A. Salazar, Deputy DoD Chief Information Officer for Cybersecurity David McKeown, and Buddy Dees of the CMMC Program Management Office. They reinforced much of the new information that is available on the CMMC website.

A key driver for the change, they said, was to fully align the CMMC with National Institute of Standards and Technology (NIST) cybersecurity standards, to ease the process of expanding the program across the government. Though not an official announcement, it does portend the expansion of the program outside of DoD.

Summary of CMMC Program Changes

 

CMMC 1.0

CMMC 2.0

Maturity Levels

5 Levels

3 Levels

Process Maturity Requirements (Policies and Procedures)

Required

Not Required

Level 1 Requirements

17 Practices
0 Process Maturity

17 Practices
0 Process Maturity

Level 1 Assessments

Triannual Third Party

Annual self-assessment

Level 2 Requirements
(formerly Level 3)

130 Requirements
3 Process Maturity

110 Requirements (NIST SP 800-171)
0 Process Maturity

Level 2 Assessments

Triannual Third Party

Triannual Third Party
Annual self-assessments

Level 3 Requirements
(formerly Level 5)

171 practices
5 Process Maturity

110 Requirements.
+ Addtl reqs from NIST SP 800-172

Level 3 Assessments

Triannual Third Party

Triannual Government-led assessments

 

CMMC 2.0 Scoring System

CMMC 1.0 is officially over. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Over the next few weeks, an updated CMMC Assessment Guide for Levels 1 and 2 should be posted to the Department’s website. Additionally, CMMC 1.0 was essentially a 100% pass/fail assessment. Organizations had to pass all the practice and process maturity requirements to pass an assessment. CMMC 2.0 moves to a scoring system, most likely similar to the scoring process for NIST SP 800-171. However, certain, high-risk practices still cannot fail in a passing assessment. Organizations will be allowed to document plans of actions and milestones (POA&Ms) for other practices that do not pass, and DoD will establish a minimum score for passing assessments.

Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors. Questions? Contact us: Email | 804.747.0000

 

Chris Moschella is a Senior Manager within Keiter’s Risk Advisory Services practice.  He is a Certified Public Accountant and a Certified Information Systems Auditor.  He leads the Keiter’s IT and cybersecurity related audit and consulting services including the CMMC consulting practice.  Prior to joining Keiter in 2016, Chris was a Manager at PricewaterhouseCoopers where he performed financial and IT audit related services in the Defense space for 8 years.  Chris speaks regularly across Virginia covering a variety of topics related to cybersecurity and cryptocurrency.

 

 Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

(for photo)

 


« Return to Newsletter