You have probably heard the rumblings of CMMC changes coming at the end of 2021. We’re here to break down the key changes coming with CMMC v. 2.0 and compare from the previous CMMC v. 1.0.  

The Current CMMC Timeline  

September 2020: The CMMC program published by the DoD (now known as CMMC 1.0). This framework assesses a Defense Industrial Base (DIB) contractor’s compliance with a set of cybersecurity standards.  

November 2020: A Presidential interim rule became effective, establishing a five-year phase-in period and requiring compliance with NIST 800-71 rules. 

March 2021: The DoD announced an internal review of CMMC’s implementation.  

November 2021: The DoD announced CMMC 2.0, and updated program and requirements designed to meet certain goals, including:  

  • Protecting sensitive information to enable and protect the warfighter. 
  • Dynamically enhance DIB cybersecurity to meet evolving threats. 
  • Ensuring accountability while minimizing barriers to compliance with DoD requirements. 
  • Contributing to a collaborative culture of cybersecurity and cyber resilience.  
  • Maintaining public trust through high professional and ethical standards.  

What has Changed?

According to the DoD, their modifications include:

  • Eliminating levels 2 and 4 and removing CMMC-unique practices and all maturity processes from the CMMC Model.
  • Allowing annual self-assessments with an annual affirmation by DIB company leadership for CMMC Level 1.
  • Bifurcating CMMC Level 3 requirements to identify prioritized acquisitions that would require independent assessment, and non-prioritized acquisitions that would require annual self-assessment and annual company affirmation.
  • CMMC Level 5 requirements are still under development.
  • Development of a time-bound and enforceable Plan of Action and Milestone process.
  • Development of a selective, time-bound waiver process, if needed and approved.

Comparing CMMC 1.0 & CMMC 2.0

Here is how the two compare:

Download our Infographic

What this Means for DoD Contractors 

  • DIB companies with CUI underlying requirements have not changed.  
    • Reading between the lines of NIST 800-171, there is not much difference from CMMC Level 3 except the elimination of the additional 20 controls.  
  • Further details will be showcased from interim rules.  
    • The rule making process will be 9-24 months before new rules are announced.  
    • Rules go into effect 60 days after announced.  
  • POAMs are allowed; however, only on select requirements. 
  • Don’t expect to get a pass on requirements, POAMs won’t be allowed on high weighted requirements. 
  • Timeline on POAMs will be set (6 months). 
  • DoD will establish a minimum score with POAMs for certification.  
  • At the end of the day… 
    • If you are Level 3, keep working on NIST 800-171 requirements and close out POAMs! 
    • Don’t expect that any of these changes will somehow make it that much easier to gain compliance than CMMC 1.0. 
    • Don’t assume that this reduces your compliance burden.  
    • For those that will be able to self-attest – cost is reduced. 
    • For those that will require 3rd party assessment – nothing is changed except for some of the CMMC-independent controls being eliminated. 

Braxton-Grant’s 3-Step Cyber Assessment

Braxton-Grant is a cybersecurity consulting organization with NIST SP 800-171 Subject Matter Experts and CMMC Registered Practitioners to assist in pre-assessments for organizations with DoD contracts.

We have developed a low-cost solution to help companies get compliant quickly and stay compliant without disrupting your budget.

For more information about how this three-step process would work for your company, please call for a free consultation or contact us to schedule a meeting.

Contact Us