Intelligence in Compliance + Manufacturing
CMMC compliance update november

CMMC Update: November 5, 2021 - Five Key Takeaways

The silence from the nine-month long Department of Defense internal review of their CMMC implementation has finally ended. The DoD review had multiple key objectives including:

  • Safeguarding sensitive information to enable and protect the warfighter
  • Dynamically enhancing DIB cybersecurity to meet evolving threats
  • Ensuring accountability while minimizing barriers to compliance with DoD requirements
  • Contributing towards instilling a collaborative culture of cybersecurity and cyber resilience
  • Maintaining public trust through high professional and ethical standards

Yesterday, the DoD released a statement that the CMMC review was completed, and detailed modifications will be coming in the following days.

The DoD also announced that the modifications will be under a new CMMC implementation called “CMMC 2.0”, but this statement was later withdrawn.

Here are the key takeaways:

  1. The DoD is eliminating Levels 2 and 4, and removing CMMC-unique practices and all maturity processes from the CMMC Model. The new 3-Level model will greatly reduce the complexity of the original, especially with many organizations targeting Level 3 certification due to Levels 4 and 5 not being finalized.
  2. The DoD is now permitting annual self-assessments for Level 1. This enables small businesses to remain competitive when bidding for DoD contracts by removing significant cost requirements for third-party certification.
  3. The DoD is separating CMMC 2.0 Level 2 requirements to provide additional oversight for organizations that impact critical national security information. Those companies will require triannual third-party assessments while the remaining organizations can conduct annual self-assessments. Once again, a more practical approach to enable proper due diligence for sensitive information.
  4. CMMC 2.0 Level 3 (formerly Level 5) requirements are still under development. Given the lack of clarity around Level 5 to begin with, most organizations are likely not impacted as they will aim to achieve either Level 1 or 2 certifications.
  5. CMMC pilots and contract requirements have been suspended until CMMC 2.0 has been finalized. With CMMC 2.0 Level 2 requirements aligning with NIST SP 800-171, it would be a good idea for organizations to review and implement those controls as part of cybersecurity best practices.

Stay tuned:

We will launch additional analysis and recommendations once detailed modifications are announced.

CMMC 2.0 Model


Sign up to get Cyber Intelligence Weekly in your inbox.
Latest Intelligence