The Cybersecurity Maturity Model Certification (CMMC) Framework is used by the DoD to verify that sensitive data being handled by defense industrial base (DIB) contractors is properly protected on the contractors’ systems to avoid risk of a compromise from a cybersecurity attack. CMMC uses third-party assessment organizations to verify contractors’ safeguarding of controlled unclassified information (CUI) including International Traffic in Arms Regulations (ITAR) data, federal contract information (FCI), and compliance with certain mandatory practices, procedures and capabilities that can adapt to evolving cyber threats.
In November 2021, the DoD announced CMMC 2.0. It’s important to understand key changes and timelines associated with CMMC 2.0, how it compares to CMMC 1.0, and what you need to do to prepare.
CMMC 1.0 was initially released in January 2020. Feedback on the Framework was criticized as too complex, rigid and costly to implement. In addition, time to compliance was lengthy (between 12-18 months). The goal of CMMC 2.0 is to reduce complexity and cost, while aligning with cybersecurity requirements and other federal requirements.
Eliminating Levels 2 and 4 from CMMC 1.0, CMMC 2.0 is a more flexible system with a streamlined 3-tier framework compared to the 5-tier framework of CMMC 1.0. Based on NIST controls the three levels are as follows:
Note: Level 2 of CMMC 2.0 will be equivalent to the NIST SP 800-171 and Level 3 will be equivalent to NIST SP 800-172.
The chart below provides a good overview and comparison of the CMMC 1.0 to 2.0 frameworks.
Daymark is a member of the North East CMMC Coalition. We are committed to the collaborative work the Coalition is doing to provide training and resources for program implementation training, collaboration, recruitment and compliance assistance for the Defense Industrial Base. We are experienced in enabling DIB organizations to meet strict government and regulatory compliance requirements related to CMMC controls for ITAR, CUI and FCI data.
CMMC 2.0 requirements may not show up in contracts for several months, but now is clearly the time to act. At a Pentagon briefing in November 2021 shortly after the CMMC 2.0 announcement, Jesse Salazar, deputy assistant secretary of defense for industrial policy, said “My hope is that no company in the [defense industrial base] or in the broader commercial market is waiting for DoD contractual requirements to begin its cyber readiness process. We are encouraging all companies to start to improve their cybersecurity.”
Daymark has the experts able to help you achieve compliance and improve your security in an ever-changing environment filled with persistent threats. Contact us today.