CMMC 2.0

Cybersecurity Maturity Model Certification 2.0

December 14, 2021

On Nov. 5 2021, the Department of Defense (DOD) announced the next iteration of “CMMC 2.0” which builds on and refines the original Cybersecurity Maturity Model Certification (CMMC) framework while preparing for future regulatory actions.

Initial highlights of CMMC 2.0 include:

  • All current CMMC pilots are suspended, and CMMC 2.0 will not be added to contracts until the federal rulemaking process is finalized in 9-24 months.
  • The CMMC model has been simplified by moving from 5 levels to 3 levels for Foundational, Advanced, and Expert cybersecurity practices.
  • Handling of CUI data is directly tied to NIST 800-171 (Level 2 – Advanced), and the additional requirements imposed at the old CMMC Level 3 have been removed.
  • The model will allow time-bound and enforceable Plans of Action and Milestones in limited instances (to be defined).

As a reminder – as DIB contractors and subcontractors we are still obligated to meet DFARS 252.204.7012 and 252.204-7020, and are also subject to DIBCAC Assessments at DOD discretion. Lockheed Martin suppliers must continue to accurately maintain their certification status (via the organization’s Exostar TPM profile) regarding the applicability of these clauses, and where applicable demonstrate their compliance to these requirements via their NIST 800-171 assessment (Exostar PIM). Lockheed Martin leadership continues to meet with DOD Acquisition and Sustainment (A&S) Organization representatives and key Prime Contractors via working groups to discuss the new details of CMMC 2.0 over the coming weeks.