CMMC 2.0: Understanding the Context and Impact

By Eric Noonan • December 9, 2021

Since CMMC 2.0 was announced last month, there has been a lot of supposition around what it means. Our approach is to only examine information regarding CMMC 2.0 that has come from official government bodies or authorized government bodies, like the CMMC accreditation body and the Department of Defense.

 

The framework remains largely unchanged

Our analysis is that CMMC 1.0 and the proposed 2.0 revision are both grounded in Defense Federal Acquisition Regulation Supplement: Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS Clause 252.204-7012), which requires the implementation of NIST Special Publication 800-171 (NIST SP 800-171). DFARS Clause 7012 was first published eight years ago and NIST 800-171 came in 2016–so they have both been around for a while. 

It’s also important to note that CMMC 2.0 as proposed completed the federal rulemaking process. All articles and information as of this writing are not representative of any final ruling. All the more reason to ground your efforts in what is both final and actually required, DFARS Clause 252.204-7012 NIST 800-171.

In this series of blogs, we will be highlighting some of the changes as outlined in the proposed CMMC 2.0. For a more in-depth walk-through, save your virtual seat at our upcoming webinar, CMMC 2.0: What it Means for Your Business. Register Now

 

Impacts of proposed changes

Below is a rundown of the changes that CMMC 2.0 looks to bring as outlined thus far, and the corresponding effect on companies looking to continue to engage with the DoD in a commercial capacity.

 

Proposed changes in CMMC 2.0Impact
L2 and L4 are projected to be eliminated.Generally speaking, most companies were aligning to CMMC 1.0 level three, so this repercussion is minimal with no material impact to the defense industrial base.
The naming nomenclature has changed. The new L1 and L2 are the old L1 and L3. Stated another way, the old L3 is now L2. 
The 20 maturity requirements and controls from CMMC 1.0, L3 have been eliminated.Simply stated, companies should adhere to NIST 800-171. The 110 requirements of NIST 800-171 have been required for the past six years, focus there. That’s plenty for most organizations to get their hands around.

 

Next steps

Attend our upcoming webinar on Wednesday, December 15, 2021, at 9:00am (PST) | 12:00pm (EST), to learn more about CMMC 2.0 and how it might impact your business.

CMMC 2.0 Webinar Registration

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO

CMMC CON 2022 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.