CMMC 2.0

The Department of Defense (DoD) released key documentation relating to Cybersecurity Maturity Model Certification (CMMC) 2.0 at the end of 2021, including a CMMC 2.0 Model Overview document, CMMC Self-Assessment Scopes for Level 1 and 2 assessments/certifications, CMMC Assessment Guides for Level 1 and 2 attestations/certifications, and the CMMC Artifact Hashing Tool User Guide.

DoD has stated that CMMC 2.0 will not be a contractual requirement until the department completes the rulemaking needed to implement the program. Although that rulemaking process is estimated by DoD to take up to 24 months, these documents are highly relevant to any contractors selling to DoD. Once CMMC 2.0 is implemented, it will be mandatory where sensitive DoD information is provided to a contractor or generated, processed, stored, or transmitted in support of performance of a DoD contract. Moreover, those contractors who can implement CMMC practices more quickly likely will have a competitive advantage over contractors who wait to address CMMC until right before the clauses appear in individual procurements.

The newly released overview document outlines the general requirements that contractors must implement to achieve each CMMC level. As set forth in the document, Level 1 of CMMC 2.0 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21 and Level 2 is equivalent to all of the security requirements in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” (Rev. 2). The overview document indicates that Level 3 certification requirements will be a subset of the requirements in NIST SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171”, but it does not specify which requirements will apply, and only notes that details for Level 3 certifications will be released at a later date. In each case, the levels build on one another, i.e., a contractor must implement all of the practices at Levels 1 and 2 plus additional Level 3 requirements in order to achieve a Level 3 certification.