Cybersecurity Maturity Model Certification (CMMC): 1.0 to 2.0

The Pentagon released an updated Cybersecurity Maturity Model Certification (CMMC) 2.0 in late 2021 to be more streamlined and less expensive for companies. Don’t wait for the CMMC Accreditation to be a requirement in your contract. Engage in CMMC and get certified.

The transition from CMMC 1.0 to 2.0 streamlined requirements from a five-level structure to a three-level structure. The CMMC model’s purpose is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).[1] In transitioning, the CMMC 2.0 model eliminates all maturity processes and eliminates all CMMC unique security practices (Advanced/Level 2 will mirror NIST SP 800-171 (security practices) and Expert/Level 3 will be based on a subset of NIST SP 800-172 requirements). [1] 

This certification conveys to your customers and clients, specifically U.S. DoD customers, that you take cybersecurity seriously. Under the new rules, Level 1 is “fundamental” and includes 17 cybersecurity practices with an annual assessment. Level 2 is considered “advanced” and includes 110 practices aligned with the National Institute of Standards and Technology Special Publication 800-171 guidelines. This level will include a triennial 3rd part assessment for critical national security information and annual self-assessments for select programs. Level 3 is the most secure and “expert” tier, with more than 110 practices based on NIST SP 800-172 and will require a triennial government-led assessment. Get your assessment on schedule now to avoid delay in contracting awards. Stay up-to-date with guidelines and suggestions. In addition, companies can look to one of the five certified C3PAs (e.g. Redspin) to conduct an audit.

For additional information or resources visit the Acquisition & Sustainment, Office of the Under Secretary of Defense website, here, or contact the SouthEast Innovation Institute for potential support.

[1] https://www.acq.osd.mil/cmmc/model.html