CMMC Version 2 – DoD’s Changing Approach
Posted by: Dan Mengel
Published 11/9/2021, 11:00am
On November 4, the U.S. Department of Defense (DoD) formally announced version 2.0 of the Cybersecurity Maturity Model Certification (CMMC) on its CMMC Web site. CMMC 2.0 represents a significant shift in the DoD’s intended approach to cybersecurity for the Defense Industrial Base (DIB) and those organizations which store, process, and/or generate Federal Contract Information (FCI) and Confidential Unclassified Information (CUI).
Significant changes from the previous version of CMMC include the following:
- Consolidation of the previous, five-level framework into three levels.
- Full alignment with just NIST SP 800-171/172 and the elimination of the “processes”.
- Elimination of the third-party assessment requirement for most organizations, in favor of annual self-assessments and corresponding attestations supplied to the DoD.
- Limited use of Plans of Action & Milestones (POA&Ms) for some requirements.
According to the CMMC Web site, existing CMMC pilot efforts are suspended, CMMC requirements are not being included in any DoD solicitation at this time, and formal implementation of CMMC 2.0 via rulemaking (expected to take 9-24 months) has begun. However, it is important to note that the DFARS regulation is still in force. In other words, organizations with CUI must still comply with NIST SP 800-171, which will most likely become CMMC Level 2, and organizations with FCI must still comply with the Federal Acquisition Regulation (FAR) (48 CFR § 52.204-21).
CMMC Level 1 (prior to 2.0) was comprised of a subset of NIST SP 800-171 requirements, while CMMC Level 3 (prior to 2.0) was comprised primarily of NIST SP 800-171 requirements with a few additional requirements thrown in. Given this, plus the uncertainty around CMMC over the past year, GuidePoint’s advice to our customers has consistently been to start with the seventeen 800-171 requirements that fulfill the FAR, then work on implementing the remaining controls. This advice is even more timely now, given the projected alignment with 800-171/172. In addition to the risk benefits gained from implementing these controls, this approach ensures that the investments in control implementation and maintenance are not wasted from a compliance perspective.
Organizations with CUI and/or FCI need to review the updated CMMC site in detail, seek assistance from qualified sources (i.e., C3PAOs, RPOs like GuidePoint, or DoD contacts), and review current approach and strategy with regard to FAR/DFARS/CMMC compliance.
Dan Mengel
Practice Director, Compliance,
GuidePoint Security
Dan Mengel, Practice Director at GuidePoint Security, began his career in the security industry in 2000. He has delivered high-quality consulting services, directly and by leading others, in the areas of information security program architecture, security policy development, and security vulnerability, risk, and compliance assessments. He has developed sales and delivery processes and documentation templates for all of these engagement types. Dan is currently leading GuidePoint’s Compliance team in delivering assessment and advisory services for multiple information security standards. He also has significant prior experience designing and integrating security technology solutions from Cisco, Check Point, Websense, RSA, and others.
Dan earned a Bachelor of Science degree in Computer Information Systems from Goldey-Beacom College and holds several recognized information security industry certifications.