Cybersecurity Maturity Model Certification (CMMC) 2.0 Update
In an hour meeting on November 9th representatives from the DoD spoke at the CMMC Town Hall Meeting to update those of us in CMMC Ecosystem of the modification made to CMMC.
Based on feedback, it was decided that the original CMMC model was too onerous and basically unnecessary to task most of the DIB with CUI to be assessed to level three certification. Based on risk, those suppliers to the DoD with CUI that could present a threat to National Security will be those organizations that would certify to the new level Two.
Changes
The CMMC 2.0 model is streamlined. Levels 2 and 4 have been eliminated. These were previous CMMC levels that were never intended to be assessed.
Formerly 5 levels, there are now 3 levels:
- Level 1 – Foundational level – companies with FCI only, requires protection but not critical to National Security will require self-assessments to NIST 800-171
- Level 2 – Advanced level – companies with CUI may require third party or self-assessment based on the type of information
- Level 3 – Expert level – highest priority with CUI to be assessed by the government
Allowance of POA&M’s and Waivers
Contracting officers can use normal contractual remedies to address a DIB’s contractor’s failure to meet their cybersecurity requirements after a defined timeline.
Waivers will be allowed on a very limited basis, accompanied by strategies to mitigate CUI risk.
PJC will post updates as they are received.
For more information on CMMC or other Information Security Standards such as the ISO 27000 series, contact PJC.