Late in 2021, the Department of Defense made an announcement proposing significant changes to CMMC. They described a transition to a new and simpler version two of CMMC. Some of the changes included were to items like compliance levels, cyber security controls, and self-assessment. Now many businesses are wondering what that means for them.
The New Features of CMMC 2.0
The goal of CMMC, in many ways, remains unchanged. The purpose is to protect both Controlled Unclassified Information as well as Federal Contract information. What did change are the levels that are part of the CMMC.
In the old system, there were five levels numbered one to five. The second and fourth levels were thought of as transition levels. So Level Two, for example, was for a company moving from Level One to Level Three.
The problem with this system was that it was confusing for businesses, and it created a tremendous amount of sometimes unnecessary paperwork. Another issue was that the transitory nature of Levels Two and Four was downright confusing at times.
What that meant to a business doing a CMMC audit was that they soon might find that they did not have the staffing or resources to handle all the elements of moving through the levels. So the transition levels are now no longer part of the CMMC, and three levels remain.
The Particulars of Assessments at Each Level
Because Level One is the lowest of the three levels, the criteria for meeting the standards at this level are pretty low. Companies at this level are not protecting sensitive national security information.
Because of the relatively safe nature of the information involved, these companies do not need to use third-party assessments. They simply need to do an annual self-assessment of their security protocols.
Level Two serves as a mix of companies you might find at Level One or Three. There are many companies here that do not handle sensitive information. Because of this, these companies can do self-assessments as well.
If a company at Level Two occasionally handles sensitive information, they will need to find a third party to do an assessment. The Department of Defense estimates that about half of the companies at Level Two need this type of third-party verification.
At Level Three, there is no option for self-assessment. Every company at this level must have an assessment from a government team.
What All This Means for Your Company
There will be a period of transition from version one to version two of the CMMC. Even with that, it is essential to remember that your business should not take this transition period as an excuse not to meet requirements right now.
Implementing the features of CMMC is a sometimes lengthy process. It also requires a considerable devotion of your company’s resources. The upside for companies, no matter which level they wish to achieve, is improving their cybersecurity.
There is a general belief that the move to CMMC 2.0 will make the process simpler and much more efficient. Now is the time for your business to assess where they are in the new hierarchy and make changes to improve its cybersecurity.
