“At a high level, here are the important takeaways from CMMC 2.0:
- There are now going to be three levels of security, reduced from CMMC 1.0’s five levels.
- The new Level 1 security retains the same 17 controls as CMMC 1.0 Level 1 but removes independent validation requirements, allowing DIB vendors to perform annual self-assessments.
- The new Level 2 (previously CMMC 1.0 Level 3) now includes only the 110 practices from NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The additional 20 practices and three processes borrowed from other security frameworks (e.g., FAR Clause 52.204-21, NIST 800-53 Rev. 4, NIST CSF v1.1.) that were part of CMMC 1.0 have been removed…”
- “The new Level 3 (Previously CMMC 1.0 Level 5) now only includes the practices from NIST 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information, a supplement to NIST SP 800-171…”
“In light of recent events, my recommendation is that everyone needs to step back and take a breath. Let’s all let the DoD and the CMMC-AB (if it will still exist in this CMMC 2.0 world) put pen to paper and codify what CMMC 2.0 will actually look like to prevent the same fallout from CMMC 1.0 hitting us all again with 2.0.
In the meantime, NIST 800-171 always has been and continues to be the law of the land. If your DIB organization processes, stores, and/or transmits confidential unclassified information, you’ll need to ensure that you implement NIST 800-171 in its entirety. Whether you’ll eventually need an independent third-party to assess your implementation or you’ll be able to self-assess doesn’t really matter. NIST 800-171 provides a solid baseline to securing critical data, and it’s the bare minimum that every vendor that does business with the DoD should put squarely in its sights…” Read the full article here.
Source: Let the dust settle on CMMC 2.0 – By Johann Dettweiler, January 13, 2022. Federal News Network.