IThe transition to CMMC 2.0 represents a significant shift in how the Department of Defense (DoD) approaches cybersecurity for the Defense Industrial Base (DIB). While the goal remains the same—protecting sensitive unclassified information—the framework has been streamlined to reduce complexity and cost.
For Federal contractors, understanding these changes is crucial. The new model simplifies the levels from five to three, aligning more closely with widely accepted NIST standards. However, the requirement for third-party assessments for Level 2 (where CUI is involved) remains a critical hurdle for many organizations.
Key Changes in CMMC 2.0
The most notable update is the consolidation of maturity levels. The original five levels have been reduced to three:
- Level 1 (Foundational): Same as the original Level 1, focusing on 17 basic hygiene practices. This level will now allow for annual self-assessments.
- Level 2 (Advanced): Aligns directly with NIST SP 800-171’s 110 controls. This replaces the old Level 3. Depending on the sensitivity of the information, this level will require either a third-party assessment or a self-assessment.
- Level 3 (Expert): Replaces the old Levels 4 and 5, focusing on advanced persistent threats (APTs) and aligning with a subset of NIST SP 800-172.
“The streamlining of CMMC 2.0 does not mean a reduction in security. Rather, it focuses efforts on the most critical controls identified in NIST 800-171, making compliance more attainable but no less rigorous.”
The Impact on Enclave Strategies
With the confirmation that Level 2 is based on NIST 800-171, the case for using a secure enclave like SENTRE becomes even stronger. Isolating CUI into a specific, hardened environment allows organizations to:
Ensure that the assessment boundary is clearly defined and defensible.
Drastically reduce the scope of the assessment.
Avoid the cost of upgrading the entire enterprise network.