CMMC 2.0: What You Really Need To Know

CMMC 2.0 was released on November 4, 2021 and contains substantial changes to CMMC 1.2.

Now that we’ve all had some time to learn about and process the changes coming with CMMC 2.0, we thought we’d share a brief summary of what you really need to know.

The changes reflected in CMMC 2.0 will be implemented through the rule-making process in Part 32 of the Code of Federal Regulations (CFR) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48. The process is underway and estimated to proceed for the next 9-24 months. It is anticipated that an interim rule may be issued much sooner.

Until then, here’s the breakdown:

  1. There are now 3 maturity levels instead of 5 (levels 2 and 4 were removed).
  2. Self assessments with executive attestation are allowed for level 1 and “non-prioritized acquisition” Level 2.
  3. Some Process Controls have been removed (.999, .998, .997, CA.2.157). However, 61 NFO Controls (Including Policies, Procedures, and SSPs) are now required as prerequisites from 800-171 Appendix E.
  4. POA&Ms are now allowed. (More details to come on this.)
  5. We are down to 110 practices (NIST 800-171), instead of the 130 it was previously.
  6. Use NIST 800-171A to determine assessment objectives you’ll need to meet when you’re assessed.

If you’d like more in-depth information about the CMMC changes, you can watch the replay of the CMMC 2.0 webinar we did with Coalfire Federal. We’d also be happy to talk with you or your team to bring you up to speed or answer any questions—just reach out to us here.