Even though the DOD is still developing the specific security requirements of Level 3, it has indicated that it will include all 110 NIST SP 800-171 controls plus a subset of the advanced threat controls in NIST SP 800-172.
In each level, the number of controls has also decreased. With CMMC 2.0, the DOD has eliminated all maturity processes, which measure the degree to which an organization has integrated the security practices into the operations of their organization. 20 security requirements were also dropped for this version of CMMC 2.0. The new level only needs organizations to implement the 110 security controls mentioned in NIST SP 800-171 to ensure they securely store and share CUI.
Further, CMMC 2.0 focuses on practices across 14 domains instead of the 17 mentioned in the older version.
These domains include:
- Access Control
- Awareness and Training
- Incident Response
- Personnel Security
- Risk Management
- System and Communications Protection
- Configuration Management
- Physical Protection
- Security Assessment
- System and Information Integrity
- Audit and Accountability
- Identification and Authentication
- Media Protection
The following are notable highlights for enterprises enhancing their cybersecurity in compliance with CMMC 2.0:
Fewer Levels: Instead of five levels of certification, CMMC 2.0 will have only three, which will be more closely aligned with existing cybersecurity standards. Level 2, for example, will comply with NIST SP 800-171, the guideline that governs how contractors handle regulated unclassified data.
Self-Assessments: Self-assessments are allowed for Level 1 and Level 2 certifications. This will save many, if not all, contractors the time and money of conducting a third-party evaluation. However, it will also increase the risk of for contractors who wrongfully certify their compliance.
Flexible Timing: Contractors can be certified even if they do not satisfy all the standards provided, given they have a clear strategy for when and how they will accomplish the standards. It is important to note that since certain standards must be satisfied before certification, this flexibility will be hindered.