CMMC 2.0 Brings Major Program Changes
November 9, 2021
Stay Connected
On November 4, the Department of Defense (DoD) announced the strategic direction of the Cybersecurity Maturity Model Certification (CMMC) program, which marks the completion of an internal program assessment led by senior leaders across DoD.
CMMC 2.0 brings about a number of changes which DoD will be pursue through the rulemaking process and will include public comment periods.
Listen to Neal Beggan, a Principal in Cherry Bekaert’s Information Assurance & Cybersecurity Practice, selected as one of the first Provisional Assessors nationwide by the CMMC Accreditation Body, and Eric Poppe, a senior manager in the Firm’s Government Contractor Services Group, as they discuss DoD’s modifications and their potential impact on contractors and subcontractors in the defense industrial base (DIB).
Changes include:
- Eliminating levels 2 and 4 of the framework and using National Institute of Standards and Technology (NIST) cybersecurity standards
- Companies at Level 1, and a subsection of companies at Level 2 will only be required to demonstrate compliance through annual self-assessments
- Triannual third-party assessments at Level 2 for critical national security information, as well as triannual government-led assessments at Level 3
- Increase in oversight of professional and ethical standards of third-party assessors
- New waiver processes for select requirements – DoD indicated:
- “Under certain limited circumstances”, companies can make “Plans of Action & Milestones (POA&Ms)” to achieve certification
- “Under certain limited circumstances”, waivers to CMMC requirements will be allowed
DoD is also suspending the current CMMC pilot program for select contracts and will not approve any CMMC requirements in DoD solicitations while the rulemaking is underway. The Defense Department further indicated that it is looking at providing incentives to contractors who voluntarily obtain certification during the interim period and more information will be forthcoming.
Catch up on Cherry’s Bekaert’s guidance pertaining to CMMC 2.0:
- Article: Updated Projected Timeline for CMMC: What this Means for Contractors and How to Prepare for Certification
- Podcast: Final CMMC Rule: March 2023 Update
- Podcast: CMMC 2.0 – Where Does It Stand?
- Podcast: What’s New with CMMC 2.0?: August 2022 Update
- Podcast: CMMC 2.0 Brings Major Program Changes
- On-Demand Webinar: CMMC 2.0 Brings Major Program Changes