News & Insights

CMMC 2.0. Four Changes you Need to Know

Andres Ramos

CMMC 2.0. Four Changes you Need to Know

Last week, the Department of Defense announced that they would be updating and "simplifying" the Cybersecurity Maturity Model Certification standard while preserving its original goal of placing a safeguard on sensitive information with "CMMC 2.0." Here's what's changed and what it could mean for you.

  • Instead of five (5) separate levels of maturity, it is now three (3) levels.
  • Level 1 has now changed from “Basic” to “Foundational”. A third-party assessment is no longer required for this level and is now an annual self-assessment. The controls that were formerly found in level 1 of CMMC will stay the same.
  • Level 2 is considered “Advanced”, and it covers 110 practices aligned with NIST SP 800-171. This level is assessed three times a year with third party assessments, with select programs able to do annual self-assessments.
  • Level 3 is considered “Expert”, covering at least 110 practices based on NIST SP 800-172. This level is also assessed three times a year with government-led assessments.

At this time there is very limited information that is public about the specifics of the controls found within the new CMMC levels. CMMC 2.0 will be a contractual requirement once the Department of Defense completes the rule making process in 9-24 months. To find more information about CMMC visit https://www.acq.osd.mil/cmmc/index.html.

No matter your experience or desired level, preparation for this change can start today and give your company the advantage of being ahead and ready to win contracts as soon as rule making is completed. Whitehawk’s Cyber Risk Journey maps to the very standards with which CMMC 2.0 is expected to align itself. Get started today with a complimentary consultation with one of our cyber analysts.