What’s Different in CMMC 2.0 Requirements from CMMC 1.0?

WRITTEN BY

Corrin Jones

POSTED ON

February 3, 2022

TAGS

Categories: Security

SHARING THIS ARTICLE

What’s Different in CMMC 2.0 Requirements from CMMC 1.0?

The CMMC 2.0 model has been updated on the DoD website and it includes a lot of changes that companies interested in achieving CMMC compliance should be aware of. The CMMC model was already fairly new, and many companies were scrambling to achieve compliance before the requirements were enacted. While the CMMC 2.0 changes may complicate some of this shift, they are largely advantageous to the companies pursuing compliance.

Today, we’re going to take a deeper look at CMMC 2.0, CMMC 2.0 changes and CMMC 2.0 requirements. And don’t forget; if you’re struggling to meet CMMC 2.0 requirements, the best chance you have is to engage a professional.

Eliminating Levels 2 and 4 from CMMC 2.0 Compliance

CMMC 2.0 streamlines its requirements by eliminating levels 2 and 4 entirely. Instead, there will be three levels. Level 2 was considered to be intermediate while level 4 was considered to be proactive. In the previous model:

  • Level 1 (Basic). Third-party assessment with 17 practices.
  • Level 2 (Intermediate). 72 practices and 2 maturity processes with no assessment.
  • Level 3 (Good). 130 practices and 3 maturity processes with third-party assessment.
  • Level 4 (Proactive). 156 practices and 4 maturity processes with no assessment.
  • Level 5 (Advanced). 171 practices and 5 maturity processes with third-party assessment.

Now, the model is as follows:

  • Level 1 (Foundational). 17 practices and an annual self-assessment.
  • Level 2 (Advanced). 110 practices and tri-annual third-party assessments with annual self-assessment.
  • Level 3 (Expert). 110+ practices and tri-annual government assessments.

This is a radical adjustment to the CMMC model and it’s something that companies should definitely consider when trying to improve their practices, processes and maturity models. However, it should also be noted that companies were always to be given a chance to improve their standing; so, companies that were rated at Level 2 may have adjusted to achieve Level 3 during the CMMC audit process regardless.

Maturity Processes Have Been Removed

The maturity processes that were initially required by CMMC have been removed, but this doesn’t mean that policies and procedures don’t need to be in place. The documentation regarding these policies and procedures is still embedded in the practices, it’s simply the direct maturity processes that have been removed from the assessment.

But that doesn’t mean that these maturity requirements aren’t something that an organization should have. At its core, the CMMC has always been designed to describe a model of security that would be effective and complete for the protection of government data. Organizations that want to improve their privacy and security may still look to the CMMC model.

Allowing Annual Self-Assessments for CMMC Level 1

Previously, organizations that only handled Federal Contract Information still had to go through the third-party assessment process. Level 1 is the most basic level of assessment. Now, organizations can go through an annual self-assessment process for CMMC Level 1, which significantly cuts down on the amount of energy and the cost.

Bringing Back Plan of Actions and Milestones

cmmc 2.0 changes

Plan of Actions and Milestones are being brought back under CMMC 2.0 after having been removed from CMMC 1.0, so this is something that companies should keep in mind. Companies are going to need a number of mandatory controls for a job to be awarded to them, as these Plan of Actions and Milestones are going to have to be presented during the initial contracts.

CMMC Level 3 Requirements Are in Development

CMMC’s Level 3 (previously Level 5) requirements are still in development, but they’re very likely to be similar to what was already stated; it’s the specific requirements that are likely to change. That doesn’t mean that organizations shouldn’t still be moving through the CMMC requirements, but they can use the old government contract requirements and CMMC 1.0 requirements to lead them with the knowledge that the specific requirements may change.

How Long Do Companies Have to Achieve CMMC 2.0 Requirements?

There’s good news. It’s unlikely that organizations will be required to achieve these requirements within 9 to 24 months of publication, but these requirements need to be worked toward now. Because these requirements are so advanced, companies will want to start developing their processes and their documentation now rather than later.

Largely, the process of achieving CMMC 2.0 compliance hasn’t changed. Organizations will attempt to go for compliance, will need to undergo a review, and will have a certain amount of time to change anything that is found to be under standards. For companies that only need Level 1 compliance, this process is going to be streamlined because it requires only self-assessment. For other organizations, they may find themselves having to make modifications to meet the new CMMC 2.0 requirements if they’ve been previously moving toward CMMC 1.0.

What Should Organizations Do About the CMMC 2.0?

Organizations still need to be moving toward the CMMC 2.0 requirements that they need to meet. However, there should be an understanding that Level 1 will be easier to meet, and that Level 3 may be challenging, depending on the enforcements that are actually placed. Companies should immediately start looking at the CMMC 2.0 requirements in-depth to figure out where they need to make changes and adjustments… but know that there may be additional changes in the future.

Are you concerned about meeting the new CMMC 2.0 requirements? If you deal with government data, these requirements are going to be essential for your organization. While Level 1 now requires only a self-assessment, you still need to meet the appropriate criteria. Level 2 and Level 3 may be a little more difficult to meet, as the requirements aren’t set in stone for Level 3 and the requirements for Level 2 have been altered.

The best way to ensure that you’re ready for CMMC 2.0 is to consult with a professional team. At Red River, we are experts in security, privacy and technology. We can help you develop a security and data management system that will protect both government information and your own. Connect with us today to find out more about the CMMC 2.0 changes and what we can do to help you support them.