CMMC 2.0

Key updates and impacts

Ellen Ozderman

Ellen Ozderman

Director, Cyber Security, KPMG US

+1 240-750-5669

Daniel Morse

Daniel Morse

Sr Associate Advisory, Cyber Security Services, KPMG US


In early November the DoD announced (DoD CMMC Version 2.0 Release) its plan to release an updated version of its Cybersecurity Maturity Model Certification (CMMC) requirements. The initial CMMC version 1.0 was constructed to enforce the defense industrial base to better protect its networks and control unclassified information (CUI) against cyberattacks and theft by competitors. The original version included five different security levels that companies would need to achieve depending on the work they would be performing for the DoD on a specific contract. Additionally, companies would be subject to audits conducted by third-party organizations to certify that a company was meeting the required standards prior to being awarded DoD contracts. These requirements were expected to be rolled out over a 5-year period with 2025 slated to be the end date when all DoD contracts were expected to include the CMMC requirements. While CMMC version 2.0 shares the same goal of safeguarding CUI with version 1.0, there are several changes that will affect the defense industrial.

What has changed?

  • Security levels - CMMC 2.0 has reduced the number of from five security levels down to three. CMMC 1.0’s Levels 2 and 4 have been eliminated as they were deemed as transitional by the DoD.
  • Requirement changes - CMMC 2.0 has eliminated the additional 20 practices that were not published with NIST SP 800-171 Rev.2. In addition to the elimination of the 20 practices, version 2.0 has removed the processes (policies, procedures, plans) requirements that were included in version 1.0.
  • Plan of action and milestones (POAMs) - The original CMMC framework offered no room for POAMs and organizations were required to meet all practices or would fail to become certified. CMMC 2.0 will allow POAM items, however, the DoD has indicated that POAMs would not be accepted for the highest weighted requirements (5-point requirements per the SPRS scoring methodology) and acceptable POAM items would have a timeline requirement (not defined but potentially 180 days).
  • Assessment requirements - CMMC 2.0 no longer requires every contractor to undergo a third-party audit for levels 1 and level 2 contractors that have non-prioritized acquisitions. These companies will now need to self-attest (annually) that they have effectively implemented the requirements of either level 1 or 2, have a documented System Security Plan, documented POAMs, and an up-to-date SPRS score. Level 2 contractors that handle information that would be considered critical to national security will still be required to go through a third-party audit triennially.
  • Timeline - The DoD has stated that they plan to enforce the CMMC 2.0 requirements following a rulemaking period and expect that to take anywhere from 9-24 months. If the process takes 9 months, then CMMC 2.0 will go into effect around September 2022 and December 2023 if it takes the full 24 months.
  • Assessment scope - The release of the CMMC Assessment Scope guide defines the asset categories that are considered to be in-scope and also confirms the need for DoD contractors to document and inventory the assets that will be subject to the CMMC 2.0 practices. Additionally, contractors need to be able to demonstrate physical/logical isolation of in-scope CUI assets from out-of-scope assets. This enclave approach not only reduces risk but also limits the assessment scope of a contractor’s environment.

KPMG Approach to Successful Implementation

  • System boundary and scoping analysis - Leverage the CMMC Assessment Scope guide to help define your in-scope CUI assets. The system boundary definition and initial scoping analysis serve as the foundation for the CMMC journey. This includes inventorying types of CUI data in scope, mapping the flow of CUI, and identifying the system boundary.
  • Separate or “Enclave” your CUI environment - Physically/Logically isolate your in-scope CUI assets from the out-of-scope assets and document with a system architecture design.
  • Conduct a CMMC Readiness Assessment - Perform a gap assessment of your organization's current controls as compared to key CMMC security controls for the desired level. The readiness assessment establishes the roadmap for compliance.
  • Plan of Action and Milestones - Record your gaps in a Project of Action and Milestone (POAMs) and establish your System Security Plan (SSP). While CMMC 2.0 has dropped the policy, procedure, and plan controls it is vital that contractors are able to provide adequate documentation to show that Contractor Risk Managed Assets and Specialized Assets are managed properly to avoid having those assets being assessed.

Source Information:

“Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program”, U.S. Department of Defense, 4 November 2021, Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program, press release.