“Earlier this month, the Department of Defense (DOD) released the new Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, along with the self-assessment guides for the new Levels 1 and 2, scoping guidance for all Levels, and other helpful tools for contractors seeking to perform self-assessments. Each of these documents is available on DOD’s CMMC website under the Documentation tab. Here are key highlights from DOD’s CMMC 2.0 Documentation for small and mid-sized defense contractors.
These documents signal some major departures from the CMMC 1.0 framework. For instance, the CMMC 1.0 framework contemplated that a contractor’s entire information technology (IT) system would be certified at a particular level. Many contractors were concerned that the cost of implementing CMMC requirements enterprise-wide would be prohibitively high, particularly at CMMC 1.0 Level 3 and above, and requested that DOD permit certification of particular ‘enclaves’ that processed Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), which would be similar to the ‘enclaves’ some cleared contractors might use to process classified information…”
“For Level 2, the documentation and assessment process is more involved, and contractors will be required to determine which of five categories their IT assets fall into before performing their self-assessments. Those five categories are: (1) CUI Assets, (2) Security Protection Assets, (3) Contractor Risk Managed Assets, (4) Specialized Assets, or (5) Out-of-Scope Assets.
While only the first two categories of assets will need to meet all the CMMC 2.0 Level 2 requirements, the third and fourth categories will still need to be accounted for in the contractor’s system security plan (SSP). However, contractors will not need to apply the CMMC self-assessment requirements to those assets. Contractors will also be required to keep any assets that do not and cannot store, process, or transmit CUI physically and logically separated from assets that can perform those functions. In similar fashion to the CMMC 2.0 Level 1 self-assessment, contractors will not be required to document or apply CMMC 2.0 self-assessment requirements to Out-of-Scope Assets and will not be required to address those assets in their SSPs. However, keeping track of and securing all IT assets remains an industry best practice…”
“In sum, DOD’s changes to the CMMC framework mean that CMMC will be easier for small and mid-sized businesses to attain. The narrowed scope of the assessments, coupled with the ability for many contractors to perform self-assessments, means that the CMMC process will be more streamlined and less expensive, while still protecting sensitive information…” Read the full article here.
Source: DOD Releases CMMC 2.0 Framework Documentation – By Anna R. Wright, December 22, 2021. PilieroMazza.