As further described at: https://www.acq.osd.mil/cmmc/ , to safeguard sensitive national security information, the Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base from
increasingly frequent and complex cyberattacks.
Each level is based on required practices and controls, and in a tiered manner, each level builds on the previous level.
At level 1: Organizations will still need to demonstrate basic cyber hygiene across 17 practices that represent the basic safeguarding requirements under FAR 52.204-21 which has been in place since 2016.
At level 2: Organizations will have to demonstrate they have implemented the requirements of NIST SP 800-171, the same controls that were already required under the preexisting DFARS 252.204-7012 clause. This includes 110 practices along with the level 1 requirements.
At level 3: Contractors will need to demonstrate compliance with a subset of NIST SP 800-172. NIST SP 800-172 was designed to help protect against Advanced Persistent Threat (APT) actors which are currently targeting the US Department of Defense supply chain. NIST SP 800-172 provides the foundation and controls for a defense-in-depth protection approach. These 110 additional practices must be complied with along with the level 1 and level 2 requirements.
CMMC Level 1: Allows suppliers to self-attest to their compliance through annual self-assessments. The biggest change from the current process is that executives will now be the ones that have to certify their organization and attest to compliance with the standards.
CMMC Level 2: Has two different approaches to compliance which differ depending on the type of data processed or hosted by the organization. Organizations that handle critical national security information, would likely be required to undergo an assessment by a C3PAO whereas others could still have their executives perform a self-assessment.
CMMC level 3: Suppliers will be required to undergo a government-led assessment every three years. It is anticipated that this will be performed by the DCMA DIBCAC team.
The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. This process can take from 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.
While these rulemaking efforts are ongoing, the Department of Defense has suspended the current CMMC Piloting efforts and will not approve the inclusion of a CMMC requirement in any DoD solicitation.
Those who have deployed FedRAMP-authorized solutions with Project Hosts may be automatically compliant with CMMC 2.0 through reciprocity. While this process is not finalized, the DIBCAC team that has been tapped to perform the level 3 assessments endorses reciprocity for FedRAMP requirements. Pentagon ‘endorses’ reciprocity for CMMC, FedRAMP requirements | Federal News Network and it is expected the same reciprocity would be applied to level 1 and 2 organizations as well.