What are the Differences Between CMMC 1.0 and CMMC 2.0?


What are the Differences Between CMMC 1.0 and CMMC 2.0?

February 11, 2022

CMMC 2.0: What Contractors Need to Know

Attention!  As you may have heard by now, the Department of Defense (DoD) has announced an updated Cybersecurity Maturity Model Certification (CMMC) model. If you’re unfamiliar with the model, the program was created by the DoD with the intention to fortify supply chain cybersecurity by requiring vendors to undergo third-party cybersecurity assessments. Under the original CMMC program, (AKA CMMC 1.0) launched in 2020, every defense contractor was required to successfully undergo a third-party assessment of their cybersecurity program.

What You Need to Know

According to the DoD, CMMC 2.0 is designed to minimize barriers to compliance by reducing costs, particularly for small businesses, and by clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards. To achieve this, companies within certain compliance levels will be able to conduct self-assessments in place of a third-party audit. Some companies may also be able to conduct self-assessments if there is a time-bound and enforceable plan in place to remediate any compliance gaps.

This updated model is currently leveraging the NIST 800-171 requirements while the particulars of the assessment process, assessor training material, and requirements remain under development and review. Until these pieces are all finalized, CMMC should not be included in any contracts or provisional assessments until the rulemaking process of CMMC 2.0 is completed. The timeline of this process could take anywhere from 9 to 24 months.

New Structure – CMMC 1.0 vs. CMMC 2.0

The CMMC Model has been restructured. The table below highlights the differences between the original CMMC program and CMMC 2.0:

Why CMMC 2.0?

Based on a significant number of public comments in response to CMMC 1.0, it has become apparent that the following changes were necessary as briefly touched on earlier.

  • Minimizing barriers to compliance with DoD requirements (achievable for small businesses)
  • Increase trust in the CMMC assessment
  • Clarify and align cybersecurity requirements with other federal requirements and widely accepted standards

Next Steps

During the recent Town Hall meeting at the end of last year, the CMMC-AB indicated that progress has been moving ahead with the development of training for assessors and assessment team members. In conjunction with the tailored assessment criteria for the restructured model, the AB is optimistic about CMMC going live soon. For those wondering, “What should I do in the meantime?” it should be known that progress can still be made towards preparing for the eventual assessments while the particulars are worked out between the CMMC-AB and DoD. Despite the changes in the model, contractors are not off-the-hook for cybersecurity compliance. Instead, contractors must ensure they have a plan to close those compliance gaps, and Kreative can help! We recommend organizations focus on implementing NIST SP 800-171 to improve their overall cybersecurity posture. Click here to check out Kreative’s security compliance solution.