CMMC 2.0: Understanding the Context and Impact

By Eric Noonan • December 9, 2021

Since CMMC 2.0 was announced last month, there has been a lot of supposition around what it means. Our approach is to only examine information regarding CMMC 2.0 that has come from official government bodies or authorized government bodies, like the CMMC accreditation body and the Department of Defense.

 

The framework remains largely unchanged

Our analysis is that CMMC 1.0 and the proposed 2.0 revision are both grounded in Defense Federal Acquisition Regulation Supplement: Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS Clause 252.204-7012), which requires the implementation of NIST Special Publication 800-171 (NIST SP 800-171). DFARS Clause 7012 was first published eight years ago and NIST 800-171 came in 2016–so they have both been around for a while. 

It’s also important to note that CMMC 2.0 as proposed completed the federal rulemaking process. All articles and information as of this writing are not representative of any final ruling. All the more reason to ground your efforts in what is both final and actually required, DFARS Clause 252.204-7012 NIST 800-171.

In this series of blogs, we will be highlighting some of the changes as outlined in the proposed CMMC 2.0. For a more in-depth walk-through, save your virtual seat at our upcoming webinar, CMMC 2.0: What it Means for Your Business. Register Now

 

Impacts of proposed changes

Below is a rundown of the changes that CMMC 2.0 looks to bring as outlined thus far, and the corresponding effect on companies looking to continue to engage with the DoD in a commercial capacity.

 

Proposed changes in CMMC 2.0Impact
L2 and L4 are projected to be eliminated.Generally speaking, most companies were aligning to CMMC 1.0 level three, so this repercussion is minimal with no material impact to the defense industrial base.
The naming nomenclature has changed. The new L1 and L2 are the old L1 and L3. Stated another way, the old L3 is now L2. 
The 20 maturity requirements and controls from CMMC 1.0, L3 have been eliminated.Simply stated, companies should adhere to NIST 800-171. The 110 requirements of NIST 800-171 have been required for the past six years, focus there. That’s plenty for most organizations to get their hands around.

 

Next steps

Attend our upcoming webinar on Wednesday, December 15, 2021, at 9:00am (PST) | 12:00pm (EST), to learn more about CMMC 2.0 and how it might impact your business.

CMMC 2.0 Webinar Registration

CyberSheath Blog

CMMC 2.0: Understanding the Context and Impact

Since CMMC 2.0 was announced last month, there has been a lot of supposition around what it means. Our approach is to only examine information regarding CMMC 2.0 that has come from official government bodies or authorized government bodies, like the CMMC accreditation body and the Department of Defense.  …

CMMC 2.0: The Effect on Assessments

As the discussions around the impact of the newly announced CMMC 2.0 continue to swirl, we are here to apply our knowledge to our analysis of the news. In our series of blogs on the topic, we started by discussing the context and impact for the update. Our next topic…

CMMC 2.0: POA&M Requirement Changes

In our series of blogs on the newly announced CMMC 2.0  topic, we started by discussing the context for the update and also wrote about the impact on assessments. Our next topic to discuss is the changes to a project management tool known as a plan of action and milestones (POA&M).…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft