Soldier working with a laptop computer showing CMMC for DoD contractors

What the New CMMC 2.0 Rule Change Means for DoD Contractors

Firms bidding for Department of Defense (DoD) contracts will have a revised set of cybersecurity rules to abide by, with the updated version of the proposed Cybersecurity Maturity Model Certification (CMMC) being announced after a rigorous six-month internal assessment.

Known as CMMC 2.0, this new version pares down the scope of the original requirements, allowing greater flexibility and relaxing the rules for contractors and subcontractors who do not directly handle sensitive or classified information.

Placing the new rules in context

The original CMMC proposal, announced in April 2020 following the SolarWinds hack, would have created complex cybersecurity regulations for DoD contractors, which would have significantly raised the costs of compliance, a move critics say would have priced out smaller firms from bidding on and obtaining contracts.

The SolarWinds hack saw severe data breaches in multiple branches of the US government and ignited calls for stricter cybersecurity measures. The hackers accessed the emails of several high-ranking Department of Homeland Security officials, including the department’s acting secretary.

In response, CMMC was announced to require rigorous third-party assessments of contractors’ security protocols, aiming to better safeguard sensitive information. The CMMC program lays out cyber protection standards for all companies operating in the defence sector; by standardizing requirements, CMMC provides the DoD with assurance that contractors and subcontractors are implementing strict security practices to prevent future attacks.

While strengthening the cybersecurity of the industrial base requires urgent and immediate action, the original version of CMMC was both applauded and staunchly criticized; advocates say it raised cybersecurity measures across the defence sector, but opponents argued the regulations were too onerous and created unnecessary red tape for contractors.

It is hoped that the updated version of the certification protocol can assuage both critics and opponents by maintaining national security interests while easing the implementation of security protocols. Essentially, CMMC 2.0 seeks to apply the appropriate level of security protocols relative to the sensitivity of information and nature of the work

What’s changed under CMMC 2.0?

The announced changes will impact all companies vying for DoD contracts.

In order to simplify compliance with DoD cybersecurity standards, the CMMC 2.0 framework implements a new tier system for the sensitivity of DoD information and establishes context-dependent rules for its more than 300,000 independent contractors.

Of particular significance, the five tier security system proposed in the original CMMC framework has been revised down to three. Originally, any external firm doing business with the DoD would have had to meet the requirements of one of five CMMC levels: basic cyber hygiene, intermediate cyber hygiene, good cyber hygiene, proactive and advanced.

Also, under the original CMMC framework, all contractors would have been required to undergo a third party security assessment. This has been relaxed in CMMC 2.0, with only those contractors handling sensitive data required to do so, while those that don’t are permitted to perform self-assessments.

Here’s a breakdown of the three levels under CMMC 2.0, along with the assessment requirements in each level.

  • Level 1 Foundational applies to contractors that neither receive, process or create controlled unclassified information (CUI), nor handle high value assets (HVA). Companies in this level must perform annual self-assessments of their security protocols, which must be affirmed by company leadership. This is aligned with the existing standard: FAR 52.204-21.
  • Level 2 Advanced applies to contractors that receive, process or create CUI but not HVA. However, there are two subsections within this level, depending on whether or not a company handles CUI classified as Critical National Security Information; for those that don’t, an annual self assessment is sufficient, while for those that do, a third party assessment will be required once every three years which can be conducted by C3PAOs. This is aligned with the existing standard: NIST SP 800-171
  • Level 3 Expert applies to any contractor that handles HVA. Full details are yet to be confirmed, but the assessments required at this level must be completed by the government, rather than a C3PAO. This is aligned with the existing standard: NIST SP 800-172.

As CMMC 2.0 will significantly reduce the number of contractors that require a third-party security assessment, the DoD hopes this will enable a faster rollout and implementation cycle. The original CMMC standards were intended to be implemented over a five-year period, a move starkly criticized by advocates who argued for stricter measures to be applied immediately. As a result, the DoD emphasized the importance of “streamlining” cybersecurity protocols in its release of CMMC 2.0.

Furthermore, CMMC 2.0 allows for “Plan of Action and Milestone” reports, otherwise known as PoAM, which allows contractors who currently do not meet the security requirements to continue to bid on DoD contracts, provided they also submit an outlined plan to implement the required security procedures in the future.

How should DoD contractors prepare for CMMC 2.0?

Although CMMC 2.0 will reduce the burden of cyber security audits and other requirements for many DoD contractors compared to the original proposals, contractors shouldn’t become complacent.

In terms of preparing for CMMC 2.0, the first step is to determine which level of compliance will apply to your business. This will depend on whether or not you handle CUI or HVA.

Next, you’ll need to map out a timeline to compliance. Although this could be a little tricky, as the DoD hasn’t yet announced a date for the implementation of CMMC 2.0 as it still needs to complete rulemaking. But, according to the ACQ, the rulemaking process is expected to take 9 to 24 months.

Thankfully, as each of the new levels are aligned with existing standards, there is plenty of literature already available on achieving these standards. What’s more, for contractors that outsource IT and cyber security to managed service providers (MSPs), many MSPs will have experience with these standards and will be able to assist contractors throughout the entire process.

Also, getting ahead of the curve and being CMMC 2.0 ready before the official start date could also be advantages for contractors as the DoD is exploring providing incentives to companies that achieve compliance during the interim period.

New CMMC 2.0 pares down the scope of the original requirements, allowing greater flexibility and relaxing the rules for DoD contractors and subcontractors who do not directly handle sensitive or classified information. #cybersecurity #respectdataClick to Tweet

Ultimately, many DoD contractors will be letting out a sigh of relief with the publication of the CMMC 2.0 framework. The largest burden from the original proposal – third party security assessments for all contractors – has been removed. Let’s hope the new framework delivers on the DoD’s objectives of balancing security concerns with the practicalities of doing business.


Sr. Director of Security and CISO at Ntiva