CMMC 2.0: The Effect on Assessments
As the discussions around the impact of the newly announced CMMC 2.0 continue to swirl, we are here to apply our knowledge to our analysis of the news. In our series of blogs on the topic, we started by discussing the context and impact for the update.
Our next topic as we highlight some of the proposed changes in CMMC 2.0, is how assessments would be impacted in the proposed 2.0 revision. Let’s examine what we know for each of the new levels as defined by the revision.
- Level One: The assessment requirement for CMMC 2.0 Level One is the same requirement that existed already. Keep in mind that many people probably have Level One CMMC compliance on their home computers, so it’s not a very high bar to clear.
- Level Two: Depending on the type of information involved in your business with the DoD, Level Two requires either a third-party assessment or a self-assessment. Companies can self-assess and then have a senior company official affirm their compliance and enter the self-assessment results into the Supplier Performance Risk System (SPRS). This is not a material change from CMMC 1.0. The fact of the matter is your company is still responsible for implementing and maintaining proper cybersecurity practices.
- Level Three: This level requires a government assessment. Again, there is no impact. In CMMC 1.0, these programs were evaluated on a case-by-case and contract-by-contract basis and that will continue to be the case in the proposed revision.
Summary of Impact on Assessments
|CMMC 2.0, Level 1 (Foundational)||Self assessment||No impact – same as existing requirements|
|CMMC 2.0, Level 2 (Advanced)||Third party assessment required for prioritized acquisitions||No impact – same as existing requirements|
|Self assessment and affirmation||Impact unknown – aligned with existing requirements|
|CMMC 2.0, Level 3 (Expert)||Government Assessment||No impact|
As you can see, the impact on assessments is minimal, the real takeaway is that you still need one! Either complete an assessment internally or bring on a third-party but an assessment is a “must have”. If you have any questions on how your organization should proceed in determining the current state of your cybersecurity, contact us. We understand the requirements of NIST 800-171 and can help you move forward to achieve and maintain compliance.
For practical, actionable next steps around CMMC 2.0 attend our upcoming webinar on Wednesday, December 15, 2021, at 9:00am (PST) | 12:00pm (EST), to learn more about CMMC 2.0 and how it might impact your business.