Update November 2023:The timeline for when CMMC will be officially published has been altered over the past year. In 2022, the original plan was to see CMMC wording included in contracts by May of 2023. However, as of July 24th, 2023, the proposed CMMC rule has been sent to the Office of Management and Budget where they will have 90 days to review and send it back for changes. If approved, the rule will enter into a public comment period. This means that CMMC may be finalized in Q1 of 2025.
The Evolution of CMMC Compliance
There's been a lot of talk regarding CMMC within the security sphere. The Cybersecurity Maturity Model Certification(CMMC) may seem like just another compliance being leveled against SMB's in a long list of government regulations and certifications, however this couldn't be farther from the truth.
CMMC has provided organizations working within the Defense Industrial Base a standardized list of best practices to protect sensitive date. One of CMMC's greatest strengths is it's ability to scale and dynamically change to address current cyber threats, effective security controls, and practicality for SMB's. CMMC 1.0 was established in early 2020 and just about two years later CMMC is now on its streamlined version 2.
This leaves an important question. What's the difference between CMMC 1.0 and 2.0?
The Purpose of CMMC 2.0
When the Defense Industrial Base(DIB) first revealed their intentions to include CMMC 1.0 into all of their contracts the original response was skeptical. For some organizations the strict and numerous regulations, controls, and audits made CMMC a huge budgetary and practical concern. For starters, CMMC 1.0 contained 5 maturity levels with the more advanced levels containing 100+ processes each. Depending on your organization size, preexisting security posture, and IT infrastructure implementing these controls could prove a costly endeavor. This is where CMMC 2.0 comes into play. Realizing that the numerous controls may create a larger barrier of entry than anticipated in latte 2021 the DIB alongside NIST depreciated CMMC 1.0 in exchange for version 2. CMMC 2.0 streamlined the maturity levels of the previous iteration from 5 levels to 3 maturity levels. These levels removed the transitional levels and controls of 1.0 and folded them into 3 Foundational, Advanced, and Expert levels.
The Big Difference
As previously mentioned CMMC 2.0 streamlines the maturity levels of version 1 into 3 primary levels: Foundational, Advanced, and Expert levels.
The "Foundational" level is the new "level" one and contains 17 practices for organizations to follow as well as allows for annual self evaluations. Due to the beginner level nature of this level organizations are allowed to annually evaluate their own company and maturity level including staff, IT systems, preexisting controls, processes not yet implemented etc.
The "Advanced"level drops 20 security requirements from the original CMMC model and requires organizations to implement 110 security practices that are all aligned with NIST SP 800-171. This level does call for annual self-assessments for certain programs, however triannual third-party assessments for critical national security information is required for organizations seeking compliance with this level. Compliance with level 2 of CMMC 2.0 will show that organizations are capable of securely storing/sharing Controlled Unclassified Information(CUI).
Finally, the "Expert" level requires over 110 practices all based on NIST SP 800-172 in a similar fashion to the advanced level. Outside of a few extra practices and controls the expert level requires triannual government-led assessments. Self evaluations and third-party assessments are not sufficient for this maturity level.
Let CorpInfoTech help you learn more about CMMC compliance!
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.