CMMC 2.0 vs CMMC 1.0: What Are the Key Changes?

CMMC 2.0 has made several changes in comparison to CMMC 1.0. Here are the 6 key changes:

1. Introduction of Assessor Credentialing Process

In order to become a certified assessor, individuals must now go through a formal credentialing process determined and managed by the CMMC Accreditation Body. With this new process, assessors must demonstrate relevant experience and knowledge in the cyber security field and be knowledgeable in the CMMC standard.

2. Clarifying the Scope of Assessment

The scope of assessment has been clarified to include organizations and their associated processes, systems, and information that support controlled unclassified information (CUI) handling operations.

3. Increasing Focus on Organizational Performance Measures

Under CMMC 2.0 organizations must meet certain performance measures such as the proportion of CUI-handling operations and processes that are subject to audit or assessment. The performance measures will be used to measure an organization’s overall security posture and compliance.

4. Introduction of Process and Activity Level Controls

CMMC 2.0 incorporates process-level and activity-level controls, which mandate specific security activities, such as authentication requirements for users with privileged access rights. For the first time, CMMC 2.0 requires organizations to explicitly document and control their processes for handling CUI.

5. Greater Focus on Cybersecurity Domain Requirements

CMMC 2.0 requires organizations to meet certain cybersecurity domain requirements for each of the five maturity levels, such as asset management and incident response. The focus is now on the value of preventive measures, such as user awareness training and risk assessments.

6. Introduction of Multiple Assessment Guidelines

Under CMMC 2.0, organizations are assessed in accordance with multiple assessment guidelines, which detail the steps required to successfully assess the organization on its maturity and performance levels. There are four assessment guidelines: initial, interim, repeat and continuous.

These changes demonstrate CMMC’s commitment to providing organizations with a comprehensive cybersecurity standard that meets the needs of CUI-handling operations. Whether you are an organization looking to implement CMMC or an assessor interested in certifying third-party assessments, understanding these 6 key changes is essential.