software developer writing and smiling

What Changes Did CMMC 2.0 Introduce?

As an IT company, we understand the need for tight cybersecurity measures and standards. But sometimes, all the compliance regulations can blend together in a giant mess! That’s why we’re here to help you understand the changes to CMMC 2.0 and how the expectations have been streamlined.

In November of 2021, the Department of Defense announced version 2.0 of CMMC. The new CMMC introduces a number of changes to the way that organizations are evaluated for their cybersecurity posture. While many aspects of the CMMC remain the same, there are some key changes that businesses should be aware of.

What Is CMMC?

The Cybersecurity Maturity Model Certification, or CMMC, is a government program that sets standards for how secure businesses are. If your company wants to do business with the Department of Defense, you will need to be certified under CMMC 2.0.

The CMMC was created in response to the many high-profile data breaches that have occurred in recent years. These breaches have highlighted the need for better cybersecurity practices across all industries.

While the CMMC is primarily focused on businesses that work with the Department of Defense, the standards set by the CMMC can be applied to any business. In fact, many businesses are already using the CMMC to improve their cybersecurity posture.

Changes in CMMC 2.0

As we mentioned, CMMC 2.0 has streamlined the process and made it more flexible. One of the advantages of this is that the barrier to entry for government contracts is lower—smaller businesses now have a better chance of meeting the DoD’s standards.

Changes in Model

The original CMMC had 5 levels; CMMC 2.0 has 3. Level 1 requires the 17 basic cyber hygiene practices from CMMC 1.0 and companies must complete an annual self-assessment and affirmation by company leadership

Level 2 has replaced the original Level 3. 20 controls from the original Level 3 have been removed, so contractors only have to implement the 110 remaining controls from NIST 800-171. Some contractors will be labeled as “prioritized acquisitions” by the DoD and will be assessed by an independent third party. All other organizations just need a self-assessment.

Levels 4 and 5 in CMMC 1.0 have been combined into Level 3. Contractors that want to meet Level 3 compliance will have to follow 110+ controls from NIST 800-171 and have triennial government-led assessments.

More Flexibility

Under CMMC 1.0, DoD contractors were required to meet every single practice and process for their required level of certification. A change in CMMC 2.0 that allows for a more flexible implementation is the Plan of Action and Milestones, also known as a POA&M. Contractors can submit a document that outlines their plan for compliance.

Reliable Assessments

Since all contractors at Level 1 and some at Level 2 can complete self-assessments, it lowers the price of compliance. In addition, the standards for third-party audits have been raised.

How to Become Compliant With CMMC 2.0

The best way to ensure compliance is by working with a CMMC consultant, like Brightline IT. We can help you assess your current cybersecurity posture and develop a plan to meet the requirements of CMMC 2.0.

If you’d like to go it alone, you can begin by reading the CMMC Overview and FAQ documents. These will give you a good overview of the program and what’s required at each level. You can also take a look at the NIST 800-171 standards to get an idea of the types of controls that need to be in place.

Brightline IT Can Help

If you’re looking for help in becoming CMMC 2.0 compliant, Brightline IT is here to help. We have years of experience as CMMC consultants helping businesses improve their cybersecurity posture and take advantage of the great benefits of CMMC compliance. Contact us today to get started!