The Department of Defense has announced plans to suspend its current CMMC program and replace it with a streamlined process for achieving government contract cybersecurity compliance through “CMMC 2.0.” The current CMMC program was expected to govern cybersecurity in all DOD contracts by 2026. The Pentagon expects that CMMC 2.0 will reduce the cost and administrative burden of achieving cybersecurity compliance. In CMMC 2.0, contractors must achieve Level 1, 2 or 3. Third-party accreditors will certify only certain Level 2 participants. The remaining contractors will self-certify or attain certification from government personnel responsible for cyber certifications.
- Level 1, the “foundational level,” will include 10 mandatory cybersecurity practices and require annual self-assessments.
- Level 2, known as the advanced level, will require compliance with the 110 practices aligned with the National Institute of Standards and Technology (NIST) Special Publication 800-171, as set forth in DFARS 252.204-7012.
- Under Level 3, the expert level, contractors will need to employ cyber hygiene that goes beyond the 110 NIST standard practices.