Recently a CMMC-AB town hall meeting was held to present and discuss changes to Cybersecurity Maturity Model Certification (CMMC). The new version, called CMMC 2.0, was presented by the Department of Defense (DOD) as well as the CMMC accrediting body. The biggest takeaway from the meeting is that the revision now mirrors NIST 800-171.
With CMMC 1.0, a large percentage of the requirements mapped directly to this NIST standard. Now, CMMC is explicitly defined by NIST 800-171. As the cybersecurity landscape continues to evolve, any additional controls will be directly put into the NIST standard. In clarifying the foundation for this cybersecurity mandate, it will simplify the process by eliminating any previous mapping to other risk management, ISO, or risk maturity model frameworks.
Impact of this change–and why nothing has really changed
While at first glance, it might appear that this shift to have NIST 800-171 provide the foundation of CMMC will have a large impact, it actually changes very little. For one thing, System Security Plans (SSPs) and Plans of Actions and Milestones (POAMs) are still relevant and necessary. Companies should focus on which level of the new standard applies to their business. At this point CMMC 2.0 contains three levels as opposed to the five levels of version 1.0. Here’s how the mapping looks:
|CMMC 1.0||CMMC 2.0|
|Level 1||Level 1|
|Level 3||Level 2|
|Level 5||Level 3|
Right now, reporting requirements for Level One are exactly what they were before. That requirement is a self-assessment on the applicable controls and practices, which companies submit to the government each year. For the new level two, companies will also be performing self-assessments against the requirements of NIST 800-171 and submitting their results into the Supplier Performance Risk System (SPRS).
With the new version, there is no explicit requirement for documentation, policies and procedures, but there is an expected requirement based on NIST 800-171, Appendix M. What that means is contractors should still be mindful of the documentation of their cybersecurity practices.
Your next steps
For now, it is all about aligning yourself with the partner you rely on to help you meet your cybersecurity requirements and gain or maintain your government contract work. Leverage the expertise of those who know what you need to do and focus on your own core competence.
Stay informed–and know that NIST 800-171 remains the cybersecurity law of the land. CMMC 2.0 is the future, but NIST 800-171 is not expected to go away and looks to provide a foundation for the revised CMMC standard. If you have any questions on how to proceed, contact us. We would be happy to share our insight and apply best practices to help your business attain your cybersecurity goals.