If you are a company that works with the Department of Defense, you need to understand all of the intricacies of the Cybersecurity Maturity Model Certification program or CMMC. Since the original release of this program, there have been several revisions, and these updates sit in a new 2.0 version of the program. Here are some of the details of what is a CMMC compliance 2.0.
How Version 2.0 Differs From Version 1.0
Initially, this program asked for external audits of every company that worked with the Department of Defense. All of these audits needed to get done within five years. Because of the complexity of the CMMC framework, there was quite a bit of pushback as there were concerns that the cost of maintaining compliance via third parties would force quite a few companies out of the business of working with the Department of Defense.
As a result, in November 2021, the department released a much more streamlined 2.0 model for the program. At the heart of the new program was an emphasis on reducing costs while still aligning all cyber security requirements with other similar federal requirements. The department believed that this new approach would be accessible to companies of all sizes.
Version 2.0 reduced the number of levels from 5 to 3. This change allowed quite a few more companies to meet the requirements of level one easily. Version 2.0 also eliminated 20 of the security requirements necessary to reach level two. This change made it much easier for companies to meet this level’s requirements, showing they can securely share and store confidential information.
In this version, there is even the possibility of getting a waiver for certain requirements. While the circumstances where these waivers will get allowed have limits, this is still a possibility, especially for smaller companies.
The Basics of All Three Levels CMMC 2.0
Level one of this new version of the program is the foundational level of the program. This level relies on the 17 controls found in the details of the Basic Safeguarding of Covered Contractor Information. The primary purpose of this level is to protect sensitive information and limit its access to only authorized users.
Level two of the program offers a much more robust and evolving focus on cyber security. This level aligns with the 110 security controls and the 14 levels designed by the National Institute of Technology and Standards to protect sensitive information. While this is a more comprehensive set of protocols than level one, it is a level that most companies can achieve through diligent work.
Level three focuses on reducing or eliminating the risk from Advanced Persistent Threats. This level is one for companies that work with the highest priority programs of the Department of Defense.
With a new streamlined system, the Department of Defense feels that most companies should be able to achieve and maintain the appropriate security level given their needs. The key for any company that participates in this model is to understand what level is a requirement of your company based on the work you do with the department and then create internal systems and programs to meet those needs.
Visit for more articles: forbesblog.org
