CMMC 2.0: The Effect on Assessments

By Eric Noonan • December 15, 2021

As the discussions around the impact of the newly announced CMMC 2.0 continue to swirl, we are here to apply our knowledge to our analysis of the news. In our series of blogs on the topic, we started by discussing the context and impact for the update.

Our next topic as we highlight some of the proposed changes in CMMC 2.0, is how assessments would be impacted in the proposed 2.0 revision. Let’s examine what we know for each of the new levels as defined by the revision.

  • Level One: The assessment requirement for CMMC 2.0 Level One is the same requirement that existed already. Keep in mind that many people probably have Level One CMMC compliance on their home computers, so it’s not a very high bar to clear. 
  • Level Two: Depending on the type of information involved in your business with the DoD, Level Two requires either a third-party assessment or a self-assessment. Companies can self-assess and then have a senior company official affirm their compliance and enter the self-assessment results into the Supplier Performance Risk System (SPRS). This is not a material change from CMMC 1.0. The fact of the matter is your company is still responsible for implementing and maintaining proper cybersecurity practices. 
  • Level Three: This level requires a government assessment. Again, there is no impact. In CMMC 1.0, these programs were evaluated on a case-by-case and contract-by-contract basis and that will continue to be the case in the proposed revision.

 

Summary of Impact on Assessments

 

LevelRequirementImpact
CMMC 2.0, Level 1 (Foundational)Self assessmentNo impact – same as existing requirements
CMMC 2.0, Level 2 (Advanced) Third party assessment required for prioritized acquisitionsNo impact – same as existing requirements
Self assessment and affirmationImpact unknown – aligned with existing requirements
CMMC 2.0, Level 3 (Expert)Government Assessment No impact

 

As you can see, the impact on assessments is minimal, the real takeaway is that you still need one! Either complete an assessment internally or bring on a third-party but an assessment is a “must have”.  If you have any questions on how your organization should proceed in determining the current state of your cybersecurity, contact us. We understand the requirements of NIST 800-171 and can help you move forward to achieve and maintain compliance.

 

Next Steps

For practical, actionable next steps around CMMC 2.0 attend our upcoming webinar on Wednesday, December 15, 2021, at 9:00am (PST) | 12:00pm (EST), to learn more about CMMC 2.0 and how it might impact your business.

CMMC 2.0 Webinar Registration

CyberSheath Blog

CMMC 2.0: Understanding the Context and Impact

Since CMMC 2.0 was announced last month, there has been a lot of supposition around what it means. Our approach is to only examine information regarding CMMC 2.0 that has come from official government bodies or authorized government bodies, like the CMMC accreditation body and the Department of Defense.  …

CMMC 2.0: The Effect on Assessments

As the discussions around the impact of the newly announced CMMC 2.0 continue to swirl, we are here to apply our knowledge to our analysis of the news. In our series of blogs on the topic, we started by discussing the context and impact for the update. Our next topic…

CMMC 2.0: POA&M Requirement Changes

In our series of blogs on the newly announced CMMC 2.0  topic, we started by discussing the context for the update and also wrote about the impact on assessments. Our next topic to discuss is the changes to a project management tool known as a plan of action and milestones (POA&M).…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft