CMMC 2.0: What It Means for Your Business

By Donald DeWitt Jr. • November 16, 2021

Recently a CMMC-AB town hall meeting was held to present and discuss changes to Cybersecurity Maturity Model Certification (CMMC). The new version, called CMMC 2.0, was presented by the Department of Defense (DOD) as well as the CMMC accrediting body. The biggest takeaway from the meeting is that the revision now mirrors NIST 800-171.

 

With CMMC 1.0, a large percentage of the requirements mapped directly to this NIST standard. Now, CMMC is explicitly defined by NIST 800-171. As the cybersecurity landscape continues to evolve, any additional controls will be directly put into the NIST standard. In clarifying the foundation for this cybersecurity mandate, it will simplify the process by eliminating any previous mapping to other risk management, ISO, or risk maturity model frameworks.
 

Impact of this change–and why nothing has really changed

While at first glance, it might appear that this shift to have NIST 800-171 provide the foundation of CMMC will have a large impact, it actually changes very little. For one thing, System Security Plans (SSPs) and Plans of Actions and Milestones (POAMs) are still relevant and necessary. Companies should focus on which level of the new standard applies to their business. At this point CMMC 2.0 contains three levels as opposed to the five levels of version 1.0. Here’s how the mapping looks:

 

CMMC 1.0CMMC 2.0
Level 1Level 1
Level 3Level 2
Level 5Level 3

 

Right now, reporting requirements for Level One are exactly what they were before. That requirement is a self-assessment on the applicable controls and practices, which companies submit to the government each year. For the new level two, companies will also be performing self-assessments against the requirements of NIST 800-171 and submitting their results into the Supplier Performance Risk System (SPRS).

 

With the new version, there is no explicit requirement for documentation, policies and procedures, but there is an expected requirement based on NIST 800-171, Appendix M. What that means is contractors should still be mindful of the documentation of their cybersecurity practices.

 

Your next steps

For now, it is all about aligning yourself with the partner you rely on to help you meet your cybersecurity requirements and gain or maintain your government contract work. Leverage the expertise of those who know what you need to do and focus on your own core competence.

 

Stay informed–and know that NIST 800-171 remains the cybersecurity law of the land. CMMC 2.0 is the future, but NIST 800-171 is not expected to go away and looks to provide a foundation for the revised CMMC standard. If you have any questions on how to proceed, contact us. We would be happy to share our insight and apply best practices to help your business attain your cybersecurity goals.

 

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO