The announcement also gave some more details:
- CMMC 2.0 will eliminate level 2 and level 4 and focus on level 3 (which will be renamed to level 2).
- CMMC 2.0 will no longer include the process maturity requirements and instead will adhere closer to NIST 800-171
- CMMC 2.0’s level 3 will now mostly be based on self-attestation/self-assessment, with third party assessments only for certain contracts identified by the DoD
- A Plan of Action and Mitigation (POAM) with strict timelines and guidelines will now be a part of the CMMC process
- A rulemaking process and public review period will happen before the CMMC 2.0 requirements are applied to DoD contracts
Direct iT wants to take this opportunity to remind those in the Defense Industrial Base (DiB) that NIST 800-171 requirements (including vulnerability assessments, SIEM, incident response, and many more) are still in place for all DoD contracts and that most of these measures are still part of a good information systems management program.