What’s the Difference Between CMMC 1.0 and CMMC 2.0?

CMMC 1.0, which was released in 2020, requires the implementation of cybersecurity controls and procedures across a contractor’s enterprise network, infrastructure, and assets.

The 2.0 model is designed to help make the costs and compliance requirements of CMMC more achievable for SMBs in the defense sector.

There are two notable changes with CMMC 2.0:

  • The original 5 levels of compliance have been reduced to 3 levels. The new levels are Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).
  • 20 security requirements have been dropped from the new CMMC Level 2, and it now requires the 110 security controls that fall under NIST SP 800-171. This level of compliance will demonstrate a business can securely store and share controlled unclassified information (CUI).
  • Waivers for certification are now allowed in certain circumstances.
  • There is some allowance, although limited, for Plans of Action and Milestones (POA&M), which can be submitted in place of meeting certain non-critical security controls. POA&Ms will only be accepted for 1- and 3-point controls.

How Does CMMC Compare to NIST 800-171?

Prior to CMMC, regulations for DoD contractors handling CUI were specified in the DFARS Clause 252.204-7012 and FAR Clause 52.204-21 and allowed for self-certification of compliance with appropriate NIST SP 800-171 controls.

The intent of the CMMC was to encompass the security requirements for CUI specified in the DFARS and FARS clauses; however, the CMMC certification model did not allow for self-attestation.

When CMMC was first put into effect in 2020, DoD contractors needed to be assessed by a certified third-party assessor (C3PAO) to become certified and ensure that the appropriate levels of security were in place.

The New Levels of CMMC 2.0

CMMC “Families”

There are 14 domains within the CMMC 2.0 model, which originated from NIST SP 800-171:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AA)
  • Configuration Management (CM)
  • Identification and Authentication (IDA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PP)
  • Risk Assessment (RA)
  • Security Assessment (SA)
  • System and Communications Protection (SCP)
  • System and Information Integrity (SII)

Ensure You’re Ready for CMMC 2.0 Compliance with DirectDefense

If you’re a DIB business and would like a consultant to walk you through compliance for CMMC 2.0 before July 2023, we’re here to help.

DirectDefense has deep experience with the NIST SP 800-171 certification process and assisted many organizations with CMMC compliance when v1.0 was released in 2020. We’re prepared to help your organization meet its future certification requirements.

Start the CMMC Certification process. Contact us today.