Pentagon Releases Updated CMMC Documentation.

• Author: Fein, Susan Cassidy Ashden
• Position: Government Contracting Insights

* The Defense Department has been increasingly focused in recent years on protecting controlled unclassified information, or CUI, within its supply chain. Until recently, contractors were working to implement requirements set forth under CMMC Version 1.0 in anticipation of the rollout.

However, the Pentagon announced CMMC Version 2.0 in November and released key documentation with implications for contractors.

CMMC 2.0 simplifies certain aspects of CMMC 1.0 and requires compliance with fewer technical controls. A key difference between the versions is the reduction in the levels from five to three in CMMC 2.0--Foundational (Level 1), Advanced (Level 2) and Expert (Level 3)--as well as the elimination of all maturity processes.

Under the new version, a Level 1 self-assessment is required where federal contract information, or FCI, is involved. A Level 2 self-assessment/attestation or third-party certification is required where CUI is involved, and a Level 3 assessment is required when the Defense Department determines that a contractor must implement additional practices to reduce the risk associated with advanced persistent threats.

The Pentagon has stated that CMMC 2.0 will not be a contractual requirement until the department completes the rulemaking needed to implement the program. However, it released key documentation over the final weeks of 2021 that provides insight into forthcoming program requirements, including: a model overview document; self-assessment scopes for Level 1 and 2 assessments/certifications; assessment guides for Level 1 and 2 attestations/certifications; and the artifact hashing tool user guide.

Although that rulemaking process is estimated at nine to 24 months, these documents are highly relevant to any contractors selling to the department.

The newly released overview document outlines the general requirements that contractors must implement to achieve each level. It affirms that Level 1 of CMMC 2.0 is equivalent to all of the safeguarding requirements from Federal Acquisition Regulation clause 52.204-21 and Level 2 is equivalent to all of the technical controls in NIST SP 800-171 Rev. 2. It also indicates that Level 3 certification requirements will be a subset of the requirements in NIST SP 800-172, "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171," but it does not specify which requirements will apply.

In each case, the levels...