First introduced in 2020, the Cybersecurity Maturity Model Certification (CMMC) program was the Department of Defense’s (DoD) attempt to enhance its approach to cybersecurity. Since the Defense Industrial Base (DIB) is a common target of cyberattacks, the DoD designed this solution to protect American ingenuity and national security. After receiving feedback from the Government Accountability Office (GAO), the DoD Inspector General, and over 850 public comments, the DoD has refined the CMMC and released the CMMC 2.0.

How does the latest version differ from the original? In this blog, we’re going to discuss the changes and how they impact your business.

What Is the CMMC?

Before we get into the new changes implemented by the DoD, we first need to explain what the CMMC is. This program is a collection of cybersecurity standards similar to the Defense Federal Acquisition Regulation Supplement (DFARS) 7012. It was created to govern the way government-contracted companies handle controlled unclassified information (CUI).

The CMMC program has three key features:

• Tiered Maturity Model: The original program uses a five-tiered maturity model with advanced cybersecurity requirements. The stringency of these requirements depends on the type of information and level of sensitivity.
• Assessment Requirements: Assessments must be conducted by an accredited auditor. These allow the DoD to verify that you’ve implemented the necessary cybersecurity measures.
• Implementation Through Contracts: Contractors earn contracts based on what CMMC level they’re certified for.

What Are the CMMC Tiers?

As mentioned earlier, the original CMMC contained five different tiers. Each tier demonstrates your organization’s level of commitment to overall cybersecurity and outlines what you need to do to be certified at that level:

• Level 1: The first tier focuses mainly on basic cyber hygiene. At this level, you are given access to federal contract information (FCI). Although FCI is not classified information, it’s still not meant to be seen by the general public. It’s expected that you properly safeguard this data following practices specified in 48 CFR 52.204-21.
• Level 2: At level two, your business must establish and document practices and policies that help it meet CMMC standards.
• Level 3: To reach level three, you must meet all of the requirements in NIST SP 800-171, as well as 20 additional practices.
• Level 4: A level four contractor has proven that they use a substantial and proactive cybersecurity program. If you achieve this level, you are expected to regularly review and measure the effectiveness of your practices.
• Level 5: When you reach the top tier, you are recognized as an organization with an advanced or progressive cybersecurity program. At this level, you are expected to standardize and optimize process implementation across your organization.

How the CMMC 2.0 Differs From the Original

Known as 2.0, CMMC’s latest version differs from the original program in several ways. Some of the most notable changes include:

• Fewer Tiers: The second and fourth tiers have been removed, bringing the total to three. While tiers one, three, and five were based on existing standards, two and four were based on practices created specifically for the program.
• Better Alignment: CMMC 2.0 is fully aligned with NIST regulations.
• Reduced Assessment Costs: Any company that is level one (previously level two) is now allowed to perform self-assessments for compliance. This eliminates the need to pay for your assessments.
• More Accountability: Management of the professional and ethical standards of the organizations that perform assessments has been increased.
• Flexibility: Some companies are allowed to make plans of action and milestones (POA&M) to achieve certification.
• Speed: For the sake of speed, some companies are allowed to request waivers.

Achieve Compliance Before It’s Too Late

While CMMC compliance isn’t a requirement yet, that’s expected to change by 2026. It’s recommended that you begin preparing early to meet the DoD’s CMMC requirements so you can be a step ahead of your competitors. Third Wave Innovations can help with our CMMC, NIST, and continual compliance services.