By coordinating with the National Institute of Standards and Technology (NIST), the DoD were able to create a simpler structure, built around the 800-171 and SP 800-172 controls. Whilst these controls were stricter and more difficult to meet, the system was easier to follow for businesses. As well as looking to improve the cyber security readiness of the defence industrial base, the DoD wanted to provide a certification that was clear and understandable.
Due to this dramatic change, though, many businesses have been left confused about the CMMC 2.0 model. Given the complete rework, this is understandable. To help, we have put together a brief guide that explains the differences between the CMMC 1.0 and 2.0 models, as well as a breakdown of the different levels of CMMC 2.0.
What is the difference between CMMC 1.0 and CMMC 2.0?
There are several differences between CMMC 1.0 and CMMC 2.0. Firstly, the model was restructured from a 5-level system to a 3-level system. Previously CMMC 1.0 was made up of:
Level 1: Basic
Level 2: Intermediate
Level 3: Good
Level 4: Proactive
Level 5: Advanced
This was changed in CMMC 2.0 to:
Level 1: Foundational
Level 2: Advanced
Level 3: Expert
The main reason for this is that CMMC 1.0 utilised transitional levels – levels 1 and 4 – to help businesses make the jump to higher levels. This was deemed to be too confusing and led to businesses being unclear as to how to proceed. Therefore, the DoD decided to simplify the system to 3 levels in CMMC 2.0.
CMMC 2.0 is also based around the NIST SP 800-171 and SP 800-172 controls, whereas CMMC 1.0 wasn’t. Alongside this obvious increase in security controls and formalisation, CMMC 2.0 was created to lessen the complexity and confusion associated with CMMC 1.0.
Level 1 – Foundational
Significantly easier to achieve than levels 2 and 3, level 1 was created for businesses that utilise and store Federal Contract Information (FCI). FCI isn’t critical to national security but is still sensitive in nature, so these businesses need to prove a foundational level of cyber security.
Level 1 requires businesses to meet 17 practices. These practices are made up of a limited subset of NIST SP 800-171 controls, designed to assure basic cyber security integrity.
The aim with level 1 is to encourage military contractors that utilise FCI to develop and strengthen their cyber security before they become eligible to move onto levels 2 and 3 where they will deal with more sensitive and confidential information and contracts.
This level is achievable via a self-assessment, conducted on an annual basis. This self-assessment is then sent to the DoD to be confirmed.
Level 2 – Advanced
The second level of CMMC 2.0 requires a significant amount of investment from businesses required to meet it. Rather than 17 practices, you will be required to meet 110 practices, based on the NIST SP 800-171 framework.
These practices are far-reaching in their applications, requiring organisations to have advanced monitoring and reporting systems that work together to form a comprehensive and effective cyber security system.
Designed for contractors that utilise and store Controlled Unclassified Information (CUI), level 2 is responsible for securing information that is important or critical to national security.
Assessments for this level are defined based on the information that the business handles. Prioritised information requires an assessment every 3 years, led by an approved third-party auditor. Non-prioritised information requires an annual self-assessment, similar to level 1.
Designed for organisations that utilise CUI of the highest priority possible, level 3 is integral in ensuring the security of information that is critical to national security.
Assessments at this level will be conducted every 3 years by a government-led auditing team. Organisations at this level should expect an extremely thorough and rigorous assessment designed to test the limits of their cyber security systems.
Is your business required to meet any of the CMMC 2.0 levels? Are you not sure where to start, or do you need help implementing specific cyber security capabilities into your organisation? If so, get in touch with Wizard Cyber today. Our CMMC 2.0 consultants are on-hand to walk you through the requirements, answer any questions you have, and assist you in meeting your CMMC 2.0 requirements.