Initially, the CMMC program provided a general framework for managing CUI and other confidential information. In November of 2021, however, the DoD replaced the previous version of the CMMC program with CMMC 2.0, which upgraded some of the cybersecurity measures required for companies to become CMMC certified. Some of the most important changes to the program are listed here:
- The program now features a tiered model that includes three maturity levels, each of which has its own requirements for assessing cybersecurity measures. Previously, five levels were established for contractors and subcontractors with DIB access.
- The number of cyber domains was reduced from 17 to 14, with some reductions in the required number of cybersecurity practices under each of these domains. These include risk assessment, incident response, maintenance, personnel security, and access control as well as awareness and training requirements.
- Depending on the level of information accessed by DoD contractors and subcontractors, an assessment by a CMMC third-party assessor organization (C3PAO) may be required for certification. For some contractors, a self-assessment may be sufficient to achieve compliance at the lowest CMMC level. However, access to more sensitive information on DIB networks may require a CMMC assessment performed by a C3PAO.
- Waivers may be available for some companies that perform mission-critical activities on behalf of the Department of Defense. These will be awarded on a case-by-case basis, however, and should not be seen as a substitute for a robust cybersecurity plan.
For current DoD contractors and those interested in working with the Department of Defense in the future, taking steps to prepare for CMMC certification is a key step in qualifying for these contractual arrangements.