Cybercrime is expected to cost enterprises globally $10.5 trillion annually by 2025, according to a Cybersecurity Ventures Analysis from 2021. With over 220,000 enterprises in the Defense Industrial Base (DIB), cybersecurity is one of the major concerns for the government, businesses, and national security. It is critical now for enterprises to be up to date on CMMC 2.0’s guidelines because the process for CMMC certification can be tedious. If enterprises are currently complying with CMMC 1.0, they are unlikely to jump to CMMC ML3 (Maturity Level 3) certification.  To better understand what has changed, let us take a look at the key differences between CMMC 1.0 and 2.0.

CMMC 1.0

Introduced on September 4, 2019, the United States Department of Defense (DoD) published Version 0.4 of the CMMC, or “CMMC 1.0”. CMMC is a formal document proving a company’s compliance with NIST SP 800-171.  NIST SP 800-171 is a NIST Special Publication that sets down guidelines for protecting the confidentiality of controlled unclassified data (CUI). The purpose of CMMC is to define the appropriate cybersecurity hygiene in request for proposals and use these levels to determine whether the government should comply or not. CMMC’s Maturity Processes in CMMC 1.0 were poorly defined for businesses due to the fact the DoD never supplied an example of a passing policy, process, or plan in the year after the release of CMMC version 1.

Key Differences in CMMC 2.0

After the Department of Defense (DoD) finished its ongoing internal assessment of new cybersecurity standards, a new CMMC model went into effect on November 4, 2021. Known as CMMC 2.0, the improvements are meant to streamline the program, making it easier (and less expensive) for contractors to execute. The implementation of self-assessments for the levels is also part of the plan to save burdensome expenses.

With multiple complications CMMC 1.0 caused for businesses, the DoD has stated that the requirements will not appear in any contracts until the process is completed. CMMC 2.0 is an updated model based on CMMC 1.0’s pre-existing standards in protecting sensitive information and improving the cybersecurity of the Defense Industrial Base (DIB) as threats evolve. The department is cancelling the implementation of CMMC 1.0, which was expected to be included in an increasing number of contracts over the course of five years. Contractors are still encouraged to improve their cybersecurity, but they do not have to worry about CMMC compliance for the time being.

Depicted: CMMC 1.0 vs CMMC 2.0 by Joel Joseph

The most noticeable difference between CMMC 1.0 and CMMC 2.0 is that there are now three evaluation levels instead of five: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). In each level, the number of controls has also decreased. Although the classifications are narrowed down to three levels of criticality, the measures of compliance have become more rigorous.

Under these updates, Level 1 will remain unchanged from CMMC 1.0. Level 2 will be equivalent to CMMC 1.0’s Level 3 in terms of capability. The assessment criteria for CMMC Level 2 divide into two branches around criticality. If you have CUI that is related to a certain level of national security, you will be assessed at a higher frequency than previously planned. Instead of every three years, the assessment will now be tri-annually. If you have CUI that is not related to a critical program or national security, you may opt for a self-assessment. Lastly, Level 3 will be identical to CMMC 1.0’s Level 5, removing all CMMC-specific practices and processes from all levels and allowing yearly self-assessments with annual validation by DIB corporate leadership for CMMC Level 1.

Each CMMC level will require compliance with several practices, resulting in an increase in associated maturity. This means enterprises that acquire the right CMMC level certification must demonstrate both implementation of maturity and execution of the practices. Prioritized CUI acquisitions will require an independent third-party evaluation, and non-prioritized CUI assets will be subject to a yearly self-evaluation and business affirmation.

In short, the updated program’s details are lacking; however, the following are notable highlights for enterprises enhancing their cybersecurity in compliance with CMMC 2.0:

Fewer Levels: Instead of five levels of certification, CMMC 2.0 will have only three, which will be more closely aligned with existing cybersecurity standards. Level 2, for example, will comply with NIST SP 800-171, the guideline that governs how contractors handle regulated unclassified data.

Self-Assessments: Self-assessments are allowed for Level 1 and Level 2 certifications. This will save many, if not all, contractors the time and money of conducting a third-party evaluation. However, it will also increase the risk of for contractors who wrongfully certify their compliance.

Flexible Timing: Contractors can be certified even if they do not satisfy all the standards provided, given they have a clear strategy for when and how they will accomplish the standards. It is important to note that since certain standards must be satisfied before certification, this flexibility will be hindered.

There will be many revisions made by the government on the specifics of the CMMC before the final version is released. To increase your security and data protection and ensure that these procedures are up to date, it is still important to implement cybersecurity practices following CMMC 2.0 guidelines.

For more information on CMMC, please visit NextLabs’ YouTube on How to Comply to CMMC at Different Levels and Safeguard Your Company’s Classified Information.