Intelligence in Compliance + Manufacturing
CMMC compliance update november

CMMC Update: November 5, 2021 - Five Key Takeaways

The silence from the nine-month long Department of Defense internal review of their CMMC implementation has finally ended. The DoD review had multiple key objectives including:

  • Safeguarding sensitive information to enable and protect the warfighter
  • Dynamically enhancing DIB cybersecurity to meet evolving threats
  • Ensuring accountability while minimizing barriers to compliance with DoD requirements
  • Contributing towards instilling a collaborative culture of cybersecurity and cyber resilience
  • Maintaining public trust through high professional and ethical standards

Yesterday, the DoD released a statement that the CMMC review was completed, and detailed modifications will be coming in the following days.

The DoD also announced that the modifications will be under a new CMMC implementation called “CMMC 2.0”, but this statement was later withdrawn.

Here are the key takeaways:

  1. The DoD is eliminating Levels 2 and 4, and removing CMMC-unique practices and all maturity processes from the CMMC Model. The new 3-Level model will greatly reduce the complexity of the original, especially with many organizations targeting Level 3 certification due to Levels 4 and 5 not being finalized.
  2. The DoD is now permitting annual self-assessments for Level 1. This enables small businesses to remain competitive when bidding for DoD contracts by removing significant cost requirements for third-party certification.
  3. The DoD is separating CMMC 2.0 Level 2 requirements to provide additional oversight for organizations that impact critical national security information. Those companies will require triannual third-party assessments while the remaining organizations can conduct annual self-assessments. Once again, a more practical approach to enable proper due diligence for sensitive information.
  4. CMMC 2.0 Level 3 (formerly Level 5) requirements are still under development. Given the lack of clarity around Level 5 to begin with, most organizations are likely not impacted as they will aim to achieve either Level 1 or 2 certifications.
  5. CMMC pilots and contract requirements have been suspended until CMMC 2.0 has been finalized. With CMMC 2.0 Level 2 requirements aligning with NIST SP 800-171, it would be a good idea for organizations to review and implement those controls as part of cybersecurity best practices.

Stay tuned:

We will launch additional analysis and recommendations once detailed modifications are announced.

CMMC 2.0 Model


Sign up to get Cyber Intelligence Weekly in your inbox.
Latest Intelligence
Cyber Intelligence Weekly (October 1, 2023): Our Take on Three Things You Need to Know
Posted on Oct 01 / 2023
Cyber Intelligence Weekly (September 24, 2023): Our Take on Three Things You Need to Know
Posted on Sep 24 / 2023
The Language Revolution: Enhancing Cybersecurity with Large Language Models
Posted on Sep 18 / 2023