On January 31, 2020, the Department of Defense (DoD) announced the creation of the Cybersecurity Maturity Model Certification (CMMC). The CMMC is a certification procedure developed by the DoD to certify that contractors who work with the Department have the necessary controls to protect their data by enhancing cyber protection standards and increasing assurance on the DoD that its contractors are meeting these requirements. Many DoD contractors already follow the National Institute of Standards and Technology (NIST) standards, on which CMMC bases its certification. However, CMMC takes cybersecurity standards a step further than NIST by eliminating some confusion surrounding its implementation.
The CMMC framework centers around three key features: 1) a tiered model requiring companies entrusted with national security information to implement standards at different levels depending on the type of information they handle; 2) assessment requirements allowing the DoD to verify the implementation of the standards; 3) implementation through contracts, where, once fully implemented, contractors have to obtain a certain CMMC level as a condition of obtaining contracts with the DoD.
In September 2020, the DoD published an interim rule to the Defense Federal Acquisition Regulation Supplement in the Federal Register and requested feedback to refine policy and program implementation. The interim rule became effective on November 30, 2020, and established a five-year phase-in period for the CMMC. However, following an internal review, the DoD announced the creation of CMMC 2.0 in November 2021.
The updated CMMC 2.0 program structure and design reflect the primary goals that the DoD identified during the internal review. The primary objectives of CMMC 2.0 include: safeguarding sensitive information to enable and protect the warfighter; dynamically enhancing the defense industrial base (DIB) cybersecurity to meet evolving threats; ensuring accountability while minimizing barriers to compliance with DoD requirements; contributing towards instilling a collaborative culture of cybersecurity and cyber resilience; maintaining public trust through high professional and ethical standards.
Understanding the Differences Between 1.0 and 2.0
The CMMC 2.0 model has been streamlined to three levels, eliminating CMMC 1.0 levels 2 and 4 which were transition levels never intended as assessed requirements. Depending on the information companies must handle, CMMC 2.0 establishes three levels:
- Level 1 (Foundational) – For companies with federal contract information (FCI) only, the information requires protection but is not critical to national security.
- Level 2 (Advanced) – For companies with controlled unclassified information (CUI).
- Level 3 (Expert) – For the highest priority programs with CUI.
As opposed to CMMC 1.0, CMMC 2.0 requirements will mirror NIST SP 800-171 and NIST 800-172 by eliminating all CMMC 1.0 unique practices and maturity processes and working with NIST to address identified gaps in the NIST 800-171. This includes aligning CMMC 2.0 Level 2 with NIST SP 800-171 and using a subset of NIST SP 800-172 requirements for Level 3.
With the implementation of CMMC 2.0, the DoD is introducing several key changes that build on and refine the original program requirements, including streamlining the model and creating reliable assessments by reducing the assessment costs and proving higher accountability by increasing oversight and professional and ethical standards of assessors. These changes aim to enhance three main areas: ensuring accountability to cybersecurity standards while minimizing barriers, fostering a collaborative culture for cyber resilience, and strengthening public trust while simplifying the execution.
The changes to the CMMC program will be released through an interim rule, followed by a 60-day public comment period and a simultaneous congressional review, to be included before the rule becomes effective. The Pentagon is looking to streamline the CMMC 1.0 program into CMMC 2.0 and allow more industry collaboration through the Code of Federal Regulations (CFR) in two new rules: Title 32 CFR and Title 48 CFR.
Until the CMMC 2.0 changes become effective through the rulemaking processes, the DoD will suspend the CMMC piloting efforts. The CMMC 2.0 requirements will not be mandatory until the Title 32 CFR rulemaking is complete and the implementation of the program requirements through Title 48 CFR rulemaking. The expected timeline to complete all rulemaking requirements is 9 to 24 months. During this time, the DoD will continue to encourage the DIB sector to enhance its cybersecurity protocols.
Don’t Wait for CMMC 2.0 to Become #CyberFit
The public sector and the vendors that supply these organizations are increasingly under attack. If your organization experiences data loss, it can deliver a devastating blow to the agency and its constituents. So it behooves you to take action now to become #CyberFit and not scramble by waiting for when it’s mandated by CMMC 2.0 to start using trusted solutions.
Start by selecting a certified-compliant cloud solution — Acronis SCS Cyber Protect Cloud. Cybersecurity certifications like FIPS 140-2, HIPAA-compliance, and CJIS hold IT products to extremely high standards, ensuring they meet security requirements. By implementing a certified solution eliminates vulnerabilities, exploits, and unpredictable data loss.
Be confident in the ability to protect the most sensitive data in some of the most targeted computing environments. Talk to one of our MSP specialists to learn how partnering with Acronis SCS will get you on the road to being #CyberFit.