Summary of Key Updates from CMMC 1.0 to 2.0
Below is a summary of the key changes you need to be aware of when understanding the difference between CMMC versions 1.0 and 2.0. For an in-depth guide into CMMC 2.0 changes, see here.
- Only 3 CMMC Levels: CMMC Levels 2 and 4 from the original CMMC framework have been eliminated, leaving only 3 current CMMC Levels. These Levels are detailed below.
- Level 1: Now only requires an annual self-assessment and affirmation by company leadership. No changes to the 17 basic cyber hygiene practices required.
- Level 2: The “old” CMMC Level 3 now becomes Level 2. 20 controls have been eliminated from the original framework’s Level 3 requirements, leaving contractors only having to implement the 110 controls from NIST 800-171. The DoD will identify “prioritized acquisitions” that must undergo an independent third-party assessment against the new Level 2 requirements. All other organizations will only need to perform a self-assessment and affirmation by company leadership.
- Level 3: This level will replace CMMC Levels 4 and 5 from the original framework. While details are still being worked out, it is expected that this level will include controls from NIST SP 800-172 and assessments will be government-led.
For more information about CMMC compliance and how to comply with CMMC 2.0, please read our CMMC Compliance Guide. If you have any questions about getting your organization in compliance, please don’t hesitate to give us a call or schedule a consultation.