The U.S. Department of Defense (DoD) has released details of Cybersecurity Maturity Model Certification (CMMC) 2.0, intended to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The modifications from the original CMMC to CMMC 2.0 include:
–Elimination of levels 2 and 4 and removal of CMMC-unique practices and all maturity processes from the CMMC Model; This means that for the most part, NIST 800-171 requirements cover the standard.
– Allowing annual self-assessments with an annual affirmation by Defense Industrial Base (DIB) company leadership for CMMC Level 1;
– Division of CMMC Level 3 requirements to identify prioritized acquisitions that would require independent assessment, and non-prioritized acquisitions that would require annual self-assessment and annual company affirmation. This means not all contracts will require certification.
– CMMC Level 5 requirements are still under development. More to follow.
CMMC 2.0 also includes:
– Development of a time-bound and enforceable Plan of Action and Milestone process
– Development of a selective, time-bound waiver process (if needed and approved.)
Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR
rulemaking processes, the Department will suspend the CMMC Piloting efforts, and will not
approve inclusion of a CMMC requirement in DoD solicitations.
Stay tuned for further updates, or reach out to [email protected] with any questions.