The program puts forth three fundamental features:
- Tiered Model: CMMC demands that businesses assigned with national security data enforce cybersecurity standards at evolving and advanced levels, based on the nature and sensitivity of the data. The framework also puts forth the strategy for data flow.
- Assessment Provision: CMMC inspections let the Department confirm the execution of explicit cybersecurity benchmarks.
- Enactment through Contracts: After CMMC is fully enforced, DoD contractors that control critical unclassified DOD dat will be mandated to accomplish a certain CMMC level as a prerequisite of contract award.
In late 2021, the U.S. Department of Defense (DOD) notified "CMMC 2.0," a revised program format of CMMC 1.0. The new conditions have been conceived to fulfill the immediate goals of internal business reviews, which are to:
- Protect susceptible data.
- Powerfully improve DIB cybersecurity to counteract the emerging threats.
- Offer full responsibility while cutting down hindrances to compliance with DoD conditions.
- Make efforts towards fabricating a collaborative ecosystem of cybersecurity and cyber stability.
- Strengthen public trust via enhanced skills and ethical measures.
This new program emphasizes decreasing the costs for SMBs and streamlining their cybersecurity needs with several other federal requirements.
Fundamental Features of CMMC 2.0
With CMMC 2.0, the DOD introduces many fundamental changes that add on and distill the actual program needs:
An Enhanced Version
- Concentrative on the essential demands: Streamlines and compiles the CMMC model from the earlier five to only three compliance levels.
- Adheres to the necessary Standards: Operates on the National Institute of Standards and Technology (NIST) cybersecurity norms.
- Lowered Assessment Charges: Enables all businesses at Level 1 (Foundational) and a few companies at Level 2 (Advanced) to exhibit compliance via self-assessment.
- Increased Accountability: Boosts the supervision of professional and ethical standards of third-party auditors.
- Cooperative Values: Under some restricted conditions, businesses are allowed to make Plans of Action & Milestones (POA&Ms) to earn certification.
- Extra Flexibility & Speed: Facilitates waivers to CMMC provisions on certain restricted occasions.
CMMC 2.0- Levels
Level 1: Foundational
Number of Practices: 17, with Annual Self-Assessment Plans
Level 2: Advanced
Number of Practices: 110, adhering to NIST SP 800-171 norms. Assessments are triennial and done by third parties for crucial information on national security. For a select few programs, self-assessments to be done on an annual basis.
Level 3: Expert
Number of Practices: 110+, with triennial, government-based assessments.
Corresponding to the alignment of CMMC to NIST standards, the Department’s conditions will keep evolving as modifications are done to the elementary NIST SP 800-171 and NIST SP 800-172 provisions.