“SUMMARY:
This document provides updated information on DoD’s way forward for the approved Cybersecurity Maturity Model Certification (CMMC) program changes, designated as ‘CMMC 2.0.’ CMMC 2.0 builds upon the initial CMMC framework to dynamically enhance Defense Industrial Base (DIB) cybersecurity against evolving threats. The CMMC framework is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors and provide assurance that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will be protected at a level commensurate with the risk from cybersecurity threats, including Advanced Persistent Threats. Under the CMMC program, DIB contractors will be required to implement certain cybersecurity protection standards, and, as required, perform self-assessments or obtain third-party certification as a condition of DoD contract award…”
“SUPPLEMENTARY INFORMATION…”
“Way Forward
The changes reflected in the CMMC 2.0 framework will be implemented through the rulemaking process. DoD will pursue rulemaking in both: (1) Title 32 of the Code of Federal Regulations (CFR); and, (2) title 48 CFR, to establish CMMC 2.0 program requirements and implement any needed changes to the CMMC program content in 48 CFR. Both rules will have public comment periods.
Publication of title 32 and title 48 CFR rules will implement DoD’s requirements for the updated CMMC version 2.0, which include various modifications from CMMC 1.0.
These modifications include:
- Eliminating levels 2 and 4, and renaming the remaining three levels in CMMC 2.0 as follows:
- Level 1 (Foundational) will remain the same as CMMC 1.0 Level 1;
- Level 2 (Advanced) will be similar to CMMC 1.0 Level 3;
- Level 3 (Expert) will be similar to CMMC 1.0 Level 5.
- Removing CMMC-unique practices and all maturity processes from all levels;
- For CMMC Level 1 (Foundational), allowing annual self-assessments with an annual affirmation by DIB company leadership;
- Bifurcating CMMC Level 2 (Advanced) assessment requirements:
- Prioritized acquisitions involving CUI will require an independent third party assessment;
- Non-prioritized acquisitions involving CUI will require an annual self-assessment and annual company affirmation;
- For CMMC Level 3 (Expert), requiring Government-led assessments.
- Developing a time-bound and enforceable Plan of Action and Milestone process; and,
- Developing a selective, time-bound waiver process, if needed and approved…” Read the full proposed rule here.
Source: Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward – November 17, 2021. Federal Register.
