CMMC 2.0 For The Defense Industrial Base
DoD Suppliers and Higher Education Institutions
On November 2, 2021, The Department of Defense released its most current version of the CMMC program - CMMC Version 2.0.
This page is built as an overview of the following:
- CMMC 1.0 To CMMC 2.0
- Why CMMC 2.0?
- Who Is Affected By CMMC 2.0?
- The Three Levels Explained
- Timelines For CMMC 2.0 Implementation
- How Does The DIB Prepare For CMMC 2.0?
- Microsoft 365 and CMMC 2.0
- CMMC Industry Events
From CMMC 1.0 to CMMC 2.0
Version 1.0
-
Level 1: 17 NIST 800-171 Requirements
-
Level 2: 72 Practices (65 NIST 800-171 Requirements PLUS 7 Other Practices)
-
Level 3: 130 Practices (110 NIST 800-171 Requirements PLUS 20 Other Practices)
-
Level 4: 156 Practices (110 NIST 800-171 Requirements PLUS 46 Additional Practices)
-
Level 5: 171 Practices (110 NIST 800-171 Requirements PLUS 61 Additional Practices)
Version 2.0
-
Level 1: 17 Practices (with an annual self-assessment or self-attestation)
-
Level 2: 110 Practices (NIST SP 800-171 and third-party assessments for critical national security information. Annual self-assessment for select programs)
-
Level 3: 110+ Practices (NIST SP 800-172 and government-led assessments


*Important note about the change from 1.0 to 2.0* The underlying requirements in NIST SP 800-171 have not changed. These requirements still must be implemented. If a company handles and manages Controlled Unclassified Information (CUI), then CMMC 2.0 represents very little tangible change.
Why CMMC 2.0?
In January of 2020, The Cybersecurity Maturity Model Certification, or CMMC 1.0, was released by the Department of Defense (DoD) in an effort to properly secure the Defense Industrial Base (DIB). In the simplest of terms, this was the DoD's first pass at creating a cybersecurity assessment model and certification program. Read more about CMMC Version 1.0 here.
*Disclaimer*
This video was recorded on November 4, 2021, shortly after the DoD's release of CMMC 2.0. The intent of this video is to provide a high-level update of what changed from CMMC 1.0 to CMMC 2.0, as of Nov. 4, 2021. Information in this video may not be complete as some of the timelines for rulemaking are still being released.
As with previous updates to DFARS cybersecurity regulations, CMMC 2.0 requirements will be conveyed through contract clauses. As a result of some of the specific changes, the DoD will go through the rulemaking process in both Title 32 and Title 48 of the Code of Federal Regulations. Currently, the government-wide Controlled Unclassified Information (CUI) Program is codified at 32 CFR 2002, whereas 48 CFR contains the more familiar DFARS clauses 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021.
The following categories are focus areas that the DoD is strategically using for the enhancement of the CMMC program. The revision and enhancement of CMMC fall within eight categories of strategic intent:
- Focus
- Clarity
- Alignment
- Cost
- Assessments
- Trust
- Flexibility
- Speed
These eight categories are detailed in a two-part blog that can be found here: Part 1 and Part 2.
Who Is Affected?
The Defense Industrial Base
The release of CMMC 2.0 affects the following groups:
- Organizations supporting the Department of Defense or higher education research institutions handling the following types of data:
- Cut red tape for small- and medium-sized businesses
- Set priorities for protecting DoD information
- Reinforce cooperation between the DoD and industry in addressing evolving cyber threats.
Level 1: 17 Practices and Self Assessment
- Classified as "Basic" by the DoD
- Requires those who handle Federal Contractor Information (FCI) to meet Level 1
- Contractors must self-attest that they have implemented the requirements
Level One consists of 17 basic cybersecurity practices. The requirement states that all federal contractors must implement these safeguard controls.
Level 2: NIST 800-171 and 3rd Party Assessments
One of the most significant changes from CMMC 1.0 Level 3, now CMMC 2.0 Level 2, relates to the fact that the 130 controls in 1.0 Level 3 now move to 110 controls for 2.0 Level 2.
- CMMC 2.0 Level 2 is for those handling:
- Controlled Unclassified Information (CUI) / Controlled Defense Information
- Controlled Technical Information (CTI)
- ITAR or export-controlled data
- What happens to the additional 20 controls from CMMC 1.0 Level 3?
- Answer: The additional 20 controls in CMMC 2.0 are considered to be "CMMC-unique," meaning that they were original to the first version of CMMC.
- The "Delta 20" controls were removed and are no longer required.
- Depending on the type(s) of information that you handle (CUI/CDI/CTI/ITAR) all organizations will have to prepare for:
You can keep reading a Q&A blog some of the details for 1.0 to 2.0 here.
Level 3: NIST 800-172
- A subset of NIST 800-172 (To Be Determined)
- Organizations handling CUI
- Organizations likely handling secret or top-secret information
- Depending on the type(s) of information that you handle (CUI/CDI/CTI/ITAR) all organizations will have to prepare for:
Timeline For Implementation and Rulemaking
"Everything is going to revolve around rulemaking for CMMC 2.0"
-Jacob Horne (Chief Security Evangelist at Summit 7 and industry thought leader).
- The DoD is claiming that costs, burdens, and barriers to entry are significantly reduced as a result of the changes in CMMC 2.0. However, accounting for these savings and reductions is done for the overall CMMC program, not for individual companies.
- The allowance of POAMs, the removal of the "Delta 20" controls, and the removal of process maturity requirements are the basis for significant cost reductions. However, if an OSC's costs and burdens was a result of NIST SP 800-171, then these changes are not as helpful as the government is indicating.
Rulemaking is often triggered by direction from Congress. For example, much of the impetus for the CMMC interim rule was a result of the FY 2020 NDAA. Based on the statement that DoD will pursue rulemaking, here's what we know will be codified for CMMC 2.0 based on the two CFRS. The DoD has stated that they will pursue rulemaking in Title 48 and Title 32 of the Code of Federal Regulations.
What are the two CFRs that drive rulemaking?
Current Proposed Ruling
- The current interim rule will likely not be republished since the requirements of the interim rule still stand. DFARS 252.204-7019 and DFARS 252.204-7020 are still required and flowing through the defense supply chain.
- DFARS 252.204-7021 exists to indicate when CMMC certification is required. The process of including 7021 on a case-by-case basis is on pause so the current interim rule is unaffected.
This blog details information about the proposed and final changes for 2022 under the federal policies included in the calendar graphic above.
Preparing For CMMC 2.0
1) CMMC 2.0 Level 1: Contractors Handling FCI
- If you haven't already done so, implement the 17 practices required for CMMC 1.0 and prepare to submit your annual self-assessment results.
- Not sure if you have Federal Contract Information (FCI)? Start here.
- Not sure if you have Federal Contract Information (FCI)? Start here.
2) CMMC 2.0 Level 2: Contractors Handling CUI / ITAR Data
- Implement NIST SP 800-171 if you have not already done so.
- Prepare for third-party (C3PAO) or government-led assessments
/Summit-7-SRM-Thumbnail.png?width=800&name=Summit-7-SRM-Thumbnail.png)
3) CMMC 2.0 Level 3: Contractors Handling CUI / ITAR Data / Secret / Top Secret Data
- Since the CMMC 2.0 Levels are in aggregate you will need to implement the requirements for L1, L2, and L3
- Implement the practices based on NIST SP 800-172
- Prepare for Triannual government-led assessments of your environment(s)
3) CMMC 2.0 Level 3: Contractors Handling CUI / ITAR Data / Secret / Top Secret Data
- Since the CMMC 2.0 Levels are in aggregate you will need to implement the requirements for L1, L2, and L3
- Implement the practices based on NIST SP 800-172
- Prepare for Triannual government-led assessments of your environment(s)
Microsoft 365 and CMMC 2.0 Compliance
Many contractors in the DoD supply chain have already chosen to tackle federal compliance in the Microsoft Government Cloud. Examples of some of the applications contractors rely on are:
Do You Need Microsoft 365 GCC High For CMMC 2.0?
The short answer: No
The long answer: You likely need to choose GCC High for your overall compliance strategy.
GCC High is not required to meet CMMC 2.0 at any Level. However, Microsoft's official recommendation is for organizations planning or required to meet CMMC 2.0 Level 2 (formerly CMMC 1.0 Level 3) should deploy to Microsoft 365 GCC High. The Commercial and GCC versions of the platform can be configured to meet NIST 800-171, and the vast majority of CMMC's requirements with native security products/capabilities. CMMC 2.0 Level 2, for example, can be met in Commercial and GCC per the standards written to date.
What Is Microsoft 365 GCC High? Start here.
The graphic below represents the Microsoft Platform as it relates to relevant compliance frameworks such as CMMC, DFARS 7012, ITAR regulations.
There are several long-term concerns and considerations to assess, and these are highlighted in this guide to GCC vs GCC High.
CS2: CMMC Industry Days
What Is CS2?
CS2, or The Cloud Security and Compliance Series, is an ongoing informational series for contractors in the Defense Industrial Base looking to meet federal compliance mandates. These hybrid events are specifically curated towards aerospace and defense contractors and those in higher education institutions looking for practical approaches to address security threats, invest in the culture of cybersecurity for their organization, and glean best practices for their cloud investments.
Areas of focus for CS2 events include, but are not limited to
- CMMC 2.0
- NIST 800-171
- The DFARS 70 Series (7012, 7019, 7020)
- ITAR regulations
- Handling CUI and FCI
- And much more