By Chor-Ching Fan & David Trout

In a letter dated November 1, 2021 from Patricia L. Toppings, OSD Federal Register Liason Officer, the DoD provided notice of proposed rulemaking involving changes to CMMC.  Collectively, the changes are called CMMC 2.0.    Below are key highlights of the CMMC 2.0 changes:

CMMC 1.0 Items Eliminated

  • Controls/practices associated with Levels 2 and 4
  • Process Maturity
  • All controls/practices that were unique to CMMC in favor of existing NIST controls

CMMC 2.0 Key Highlights

  • CMMC 2.0 Level 1 (Foundational) – same controls as CMMC 1.0 Level 1, registration of self-assessments and affirmations in the Supplier Performance Risk System (SPRS)
  • CMMC 2.0 Level 2 (Advanced) – same controls as CMMC 1.0 Level 3
    • self attestation with SPRS submission if you have non-critical CUI
    • 3rd party assessment required if you do have critical/sensitive CUI i.e. weapons/command systems
  • CMMC 2.0 Level 3 (Expert) – same controls as CMMC 1.0 Level 5, assessment handled by DoD

The proposed updates that form CMMC 2.0 can’t go into full effect until rulemaking is completed which will take anywhere between 9-24 months.  While considering the above CMMC 2.0 requirements for planning purposes,  tactically it is important to continue improving your cyber hygiene and referene current DFARS clauses in your DoD contract(s) which may point to compliance requirements for NIST SP-800-171 controls, scoring and affirmation submissions in the SPRS.

If you are planning your CMMC compliance efforts or need help with making your existing project more efficient and effective, we’d love to chat.  Rizkly offers a compliance program management platform to streamline CMMC compliance efforts along with your own dedicated advisor to answer questions and guide you to success.  Please contact us to learn more.