CMMC 2.0 is here: Key changes and what it means for your business

Last October 15, 2024, the final rule for the latest iteration of the Cybersecurity Maturity Model Certification (CMMC) was published by the US Department of Defense (DoD). With this last piece of the puzzle already in place, DoD contractors only have a few months left to prepare and secure their compliance. To support you through this transition, we've created a handy guide outlining the updated requirements and components of the framework, ensuring your organization can seamlessly align with the upcoming deadlines. Become CMMC-certified fast by learning more below:

What is CMMC?

The Cybersecurity Maturity Model Certification program was developed with the goal of enhancing cybersecurity across the US Defense Industrial Base (DIB). It aims to safeguard the confidentiality of data shared through defense contracts, such as federal contract information (FCI) and controlled unclassified information (CUI), and prevent unauthorized access, use, or dissemination of sensitive government information.

Who’s required to comply: Under CMMC, contractors, suppliers, manufacturers, and other organizations working with the DoD are required to implement a set of security measures and undergo assessments at varying levels depending on the type of information they handle.

Importance of CMMC: CMMC provides a framework for meeting cybersecurity standards and defense regulations. It incorporates controls from other frameworks such as NIST SP 800-171, aligning with the requirements of the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). Achieving CMMC certification enables defense contractors to effectively address growing cyber threats and maintain a robust security posture while streamlining compliance with federal regulations.

CMMC timeline: CMMC was first released in September 2020, with the new version later introduced in November 2021. After Final Rule 32 CFR Part 170 was published in October 2024, CMMC 2.0 is set to come into force after 60 days, which is on December 16, 2024. The phased implementation plan is then expected to begin during the first quarter of 2025.

CMMC 1.0 vs CMMC 2.0: What’s changed?

CMMC 2.0 consolidates some of the components of the original framework to simplify implementation for organizations, particularly small and mid-sized businesses. Major differences between the two frameworks can be summarized into these key points:

Reduced maturity levels

The update condensed the framework's original five maturity levels into three. This entails changes in the security requirements as well as the assessment and certification processes for DoD contractors.

Distinction between levels: While the CMMC 1.0 model creates a distinction between organizations that process FCI (Levels 1 and 2) and those that process CUI on top of FCI (Levels 3, 4, and 5), the CMMC 2.0 model simply defines requirements for the basic protection of FCI (Level 1), broad protection of CUI (Level 2), and enhanced protection of CUI against advanced persistent threats (Level 3).

Specific security requirements: The security practices and processes in CMMC 1.0, which were derived from NIST SP 800-171, NIST CSF, and other sources, have been transformed into specific security requirements in the new framework, reducing the total number of requirements from 171 down to 134. CMMC 2.0 now directly outlines 15 security requirements from FAR clause 52.204-21 for Level 1 assessment, 110 requirements from NIST SP 800-171 for Level 2, and a combination of 110 requirements from NIST SP 800-171 and 24 requirements from NIST SP 800-172 for Level 3 certification.

More focused security domains

Initially, CMMC 1.0 consisted of 17 cybersecurity domains which form the foundation of the different maturity levels of the framework. Based on the control families of NIST SP 800-171, these domains delineate distinct security practices or controls that organizations must implement to ensure adequate protection of FCI and CUI.

CMMC 2.0, on the other hand, has streamlined its domain structure, focusing on 14 core domains and featuring more refined security practices, such as restricting access to CUI (Access Control), maintaining information system integrity (Configuration Management), safeguarding CUI stored on removable media (Media Protection), and vetting personnel who handle CUI (Personnel Security), among others.

Rigorous assessments

Under CMMC 1.0, organizations must undergo assessments conducted by accredited CMMC Third-Party Assessor Organizations (C3PAOs) to obtain certification, with recertification required every three years. Now, with CMMC 2.0, third-party assessments are only required for Level 2 certification for defense contractors managing critical national security information.

Meanwhile, for Level 1 organizations that do not handle CUI but process sensitive data or FCI, as well as for select programs under Level 2, only self-assessments are required as certification is no longer issued for these levels. Finally, for organizations dealing with critical and high-priority defense program information, CMMC 2.0 introduces the requirement of government-led assessments for obtaining a Level 3 certification. 

Annual affirmations, which are formal declarations verifying an organization’s compliance with CMMC, are now also required for all implementation levels.

Other differences in components

Aside from simplifying the maturity levels, consolidating the security domains, and reinforcing compliance requirements for organizations within the scope of the framework, CMMC 2.0 also includes other notable differences from the previous version.

Capabilities: CMMC 1.0 references different capabilities or measures that can be mapped to each of the security domains of the framework. These have been removed in CMMC 2.0 along with the practices and processes previously established for each level.

Plans of Action and Milestones: Conversely, the Plans of Action and Milestones (POA&Ms) have been added to the revised framework. These are documents that detail the remediation actions that the organization will implement to address the identified requirements that were not met during the assessment. This only applies to Level 2 and Level 3 certification assessments. The implementation of POA&Ms is then followed by a POA&M closeout assessment to complete the certification.

Overall, CMMC 2.0 establishes a more targeted approach to cybersecurity within the defense supply chain, making implementation easier and ensuring an efficient compliance process for organizations.

How to prepare for CMMC 2.0

For a successful CMMC certification, there are a few steps you can take to ensure that your organization is ready to go through the compliance process:

1. Know your data: Before you comply with the framework, first you need to identify which requirements are applicable to your organization. Start by reviewing your contracts to determine whether your organization processes FCI, CUI, or both. FCI refers to any information generated through contracts with the DoD that is not intended for public release. To classify CUI, you can use the DoD CUI Registry to identify different types of sensitive information as well as the security controls they require. Based on the type of data handled by your organization, you can proceed to determine which CMMC level your organization falls under.
   
   
2. Perform a gap analysis: Once you have determined your compliance requirements based on your level in the CMMC 2.0 model, you can proceed to conduct an initial gap analysis. This involves assessing your current security posture against the requirements of the framework to identify any compliance gaps. With 6clicks’ AI-powered compliance mapping capability, you can expedite this step and quickly identify areas of non-compliance. Our AI engine Hailey can map your internal controls to the provisions of the framework within seconds and provide a similarity score to help you identify your level of compliance with CMMC.
   
   
3. Implement controls: To address the gaps you have identified from the gap analysis, you must adjust your cybersecurity practices and implement new controls and policies to meet the requirements of the framework. It is also important to test and validate the effectiveness of your controls to ensure consistent compliance. 6clicks’ Continuous Control Monitoring feature enables you to perform automated tests and gain insights into control performance, providing real-time surveillance and instant alerts for control failures and configuration issues.
   
   
4. Conduct self-assessments: Whether you’re aiming for Level 1 assessment or Level 2 and 3 certifications, conducting regular internal audits and assessments is always a good practice to verify your compliance with the framework and continuously improve your security implementation. The 6clicks platform has integrated audit & assessment capabilities with ready-to-use assessment templates, custom workflows, and AI-powered assessment response generation features to help you become audit-ready for CMMC assessments.
   
   
5. Get your documentation ready: Lastly, make sure that all required documentation, such as your system security plan (SSP) and the documentation of your policies, controls, and procedures, are readily accessible, complete, accurate, and up-to-date for a smooth assessment and certification process. Seamlessly export reports and other documentation from the 6clicks platform and use our Trust Portal to easily share assessment results, certifications, and other compliance evidence with customers, partners, auditors, and other stakeholders.

Streamline CMMC certification with 6clicks

Utilize the powerful features of 6clicks to accelerate your journey to CMMC compliance. Easily access authority documents such as the NIST SP 800-171 and perform assessments against it using our turnkey NIST SP 800-171 assessment template. Meanwhile, implement, manage, validate, and improve your controls using 6clicks’ control management and continuous monitoring features. Learn more by scheduling a consultation with us below.