top of page
Writer's pictureJerry Garcia

CMMC 2.0 Final Rule Released: New Compliance Standards Set to Begin Next Year

The Department of Defense (DoD) has officially released the final rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0, establishing new compliance standards for contractors handling controlled unclassified information (CUI). This significant update is set to take effect in 2025, following a three-year phase-in period.

Key Takeaways

  • CMMC 2.0 introduces a three-level compliance scale, simplifying the previous five-level model.

  • Contractors handling basic and general CUI can perform self-assessments, while higher-level contractors must undergo third-party assessments.

  • The new rule mandates adherence to 24 security controls from NIST SP 800-172 for Level 3 certification.

Overview of CMMC 2.0

The CMMC 2.0 framework aims to enhance cybersecurity measures among defense contractors, ensuring that sensitive information is adequately protected. The final rule will be published in the federal register on October 15, 2024, and will require all defense contractors to be compliant at the time of contract award starting in 2025.

Changes from CMMC 1.0 to CMMC 2.0

The transition from CMMC 1.0 to CMMC 2.0 brings several key changes:

  1. Simplified Compliance Levels: The previous five-level scale has been reduced to three levels, making it easier for contractors to understand and meet requirements.

  2. Self-Assessments for Lower Levels: Contractors at Level 1 and some at Level 2 can conduct self-assessments, reducing the burden of third-party evaluations for those with basic and general CUI protection needs.

  3. Mandatory Third-Party Assessments: All contractors classified as Level 2 (higher risk) and all Level 3 contractors will be required to undergo third-party assessments to ensure compliance.

Importance of Compliance

The CMMC program is designed to hold contractors accountable for their cybersecurity practices. It aims to prevent misrepresentation of cybersecurity protocols and ensure that companies monitor and report any cybersecurity incidents effectively. The annual affirmation requirement is a crucial element for maintaining accountability regarding a company’s cybersecurity status.

Industry Response

The release of CMMC 2.0 has been anticipated since November 2019, with officials emphasizing the need for a more streamlined and cost-effective approach to cybersecurity compliance. A recent study highlighted a significant gap between self-assessments and actual compliance, with only 4% of respondents meeting CMMC standards based on third-party evaluations, while 75% believed they were compliant based on self-assessments.

Conclusion

As the DoD prepares to implement CMMC 2.0, contractors must begin to familiarize themselves with the new standards and prepare for the upcoming changes. The phased approach aims to provide ample time for compliance, ensuring that all defense contractors can adequately protect sensitive information and maintain national security.

Sources

  • CMMC 2.0 final rule released: New compliance standards set to begin next year - Breaking Defense, Breaking Defense.

bottom of page