CMMC 2.0, a Mix Bag in Terms of Compliance
The release of CMMC 2.0 was this last Thursday, November 4, and most likely, there will be further refinements as the program matures. Significant was that 2.0 focuses on the 110 controls of NIST 800-171 and the additional 35 enhanced controls of NIST 800-172. Some of the CMMC 1.0 controls were dropped as with the maturity level requirements. The new CMMC version reverts to the original 14 domains in NIST 800-171; they are unchanged. The exception is in CMMC 2.0 at Level 3; the enhanced controls (NIST 800-172) are additional requirements to some domains. The most significant changes addressed the execution and implementation of the CMMC program.
One of the changes is to reduce the number of Levels in the CMMC framework; 1.0 had five levels, 2.0 has three levels, foundational, advanced, and expert. The two levels dropped from CMMC 1.0 were inconsequential; Washington DC logic can only describe why these levels were created in the first place. With 2.0, Level 1 remains Federal Contract Information (FCI). Levels 2 and 3 focus on Controlled Unclassified Information (CUI). In general terms, there are three classes of CUI, with each class having consequences to the contractor. Level 2 has two classes of CUI, critical and non-critical; the difference will depend on the value of the information. Critical CUI is critical national security information; non-critical information is simply information that is not. The question is then what determines one or the other, the government will have to determine that, and as with CMMC 1.0, that can get complicated. The last class of CUI is Level 3, which is the same as Levels 4 and 5 in CMMC 1.0. Class 3 will consist of all the NIST 800-171 requirements and the enhanced requirements in NIST 800-172. Another change may be in the acceleration of the program; with CMMC 1.0, there was a five-year rollout, it was to start at the end of Fiscal Year 2025. With CMMC 2.0, the requirement is supposed to begin in 9 – 24 months. That, too, may be subject to change.
In Level 1 – FCI, the foundational level, the requirement for the third-party audit is dropped. The requirement is for the contractor to annually self-assess their compliance with the existing CMMC 1.0 Level 1 17 practice controls and enter their score into the Supplier Performance Risk System (SPRS). It is an open question as to whether there is a minimum score requirement. Nevertheless, this seems straightforward, though, in the past, the value of self-assessment has been questionable.
In Level 2 – CUI, non-critical, the advanced level, the requirement for the third-party audit is dropped. The requirement is for the contractor to self-assess their compliance with the 110 controls in NIST SP 800-17 and annually enter their score into SPRS. There will be a minimum score requirement. Excluding annual reporting, there is no change regarding the current reporting requirement outlined by the Interim Rule. CMMC 2.0 allows for a Plan of Action and Milestones (POAM). However, this will only apply to non-critical elements in NIST SP 800-171. The assumption is that the critical elements are the 44 highest-weighted requirements; these controls are a bit less than half of the total, and they are the most difficult and are the most likely to be on the POAM. This means that the POAM will only apply to the easy three and one-point controls. Another issue regarding the POAM is that annual reporting forces organizations to execute their POAM and meet the remaining controls. At some point, the organization will have to self-assess they are in total compliance. Nevertheless, the most notable change for Level 2 non-critical CUI is dropping the third-party audit requirement and moving to self-assessments.
In Level 2 – CUI, critical the advanced level, there is no POAM allowed, the organization is to meet the 110 controls in NIST SP 800-171. Second, there is a tri-annual third-party assessment requirement, meaning organizations with critical CUI will be assessed once every three years. This is no change from CMMC 1.0.
Level 3 – CUI, the expert level, the organization is to meet all NIST 800-171 and the additional 35 enhanced controls of NIST 800-172 for a total of 145 requirements. As with Level 2 critical CUI, there is a once every three years assessment; this assessment will be government-led.
The goal of CMMC 2.0 was to respond to the Defense Industrial Base (DIB) questions concerning complicated compliance requirements and costs. With three levels of compliance and by returning to the NIST requirements, this has eliminated redundant levels and reduced compliance count. Eliminating the additional CMMC requirements and third-party assessments have reduced costs. However, there may be other risks in CMMC 2.0. There is an issue with the validity of self-assessments at Levels 1 and 2 non-critical CUI. Unfortunately, past DIB self-reporting has not reflected reality. However, the bottom line is that the CMMC requirements are not going away; the structure of the requirements remains NIST 800-171. As a DIB contractor at any level, the recommendations are to implement the foundational requirements of NIST 800-171.