CMMC 2.0 was released on November 4, 2021 and contains substantial changes to CMMC 1.2.
Now that we’ve all had some time to learn about and process the changes coming with CMMC 2.0, we thought we’d share a brief summary of what you really need to know.
The changes reflected in CMMC 2.0 will be implemented through the rule-making process in Part 32 of the Code of Federal Regulations (CFR) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48. The process is underway and estimated to proceed for the next 9-24 months. It is anticipated that an interim rule may be issued much sooner.
Until then, here’s the breakdown:
- There are now 3 maturity levels instead of 5 (levels 2 and 4 were removed).
- Self assessments with executive attestation are allowed for level 1 and “non-prioritized acquisition” Level 2.
- Some Process Controls have been removed (.999, .998, .997, CA.2.157). However, 61 NFO Controls (Including Policies, Procedures, and SSPs) are now required as prerequisites from 800-171 Appendix E.
- POA&Ms are now allowed. (More details to come on this.)
- We are down to 110 practices (NIST 800-171), instead of the 130 it was previously.
- Use NIST 800-171A to determine assessment objectives you’ll need to meet when you’re assessed.
If you’d like more in-depth information about the CMMC changes, you can watch the replay of the CMMC 2.0 webinar we did with Coalfire Federal. We’d also be happy to talk with you or your team to bring you up to speed or answer any questions—just reach out to us here.
it would be good to know if the NFO controls are required for Level 1 or not until you reach Level 2?
Appendix E of NIST 800-171, NFO controls are “expected to be routinely satisfied by non-federal organizations without specification” so it’s safe to say they’re expected to be done. CMMC does not directly mention this but I’d wager that not having documentation (Policies, Procedures, SPP, etc) in place would be a risk to passing an assessment at Level 1 should you be lucky enough to have DIBCAC visit you.