CMMC Level 1-The changes
The much-anticipated CMMC Document was finally released late in 2023 after a long period of silence. Some contractors might have become complacent at this time, thinking that maybe, just maybe CMMC will go away. Well, here we are in 2024, CMMC on our doorstep. We are starting this year with deep dives into the new document. Unearthing the changes made and the reasons behind them.
History in short
The Cybersecurity Maturity Model Certification, or CMMC, directly correlates to U.S. Defense Industrial Base (DIB) supply chain management. The CMMC project was developed by the Office of the Under Secretary of Defense and was known as “CMMC 1.0.”Beginning 2021saw, the DoD is beginning work on “CMMC 2.0” and releasing the updated framework by the end of 2021. One of the drivers for CMMC 2.0 was to make the framework more accessible for small organizations. Many small businesses that contract with the DoD found themselves unable to meet the regulations of CMMC 1.0 resulting in the updates.
DoD officially submitted the latest CMMC rule to the OIRA on 24 July 2023, and on 26 December 2023 the CMMC was released as a proposed rule, giving 60 days for comments to be submitted.
Level 1 is the lowest level of certification and is based on FAR 54. 204- 21 (Basic safeguarding of covered contractor information systems), authoritative document.
Level 1 Changes
As mentioned, the CMMC is quite a lengthy document. Comparing the submitted document with the released one is more protracted. Most changes were made to the “Furter Discussion” and “Example” areas of the regulations.
The changes made reflect a road to better understanding. Words were added, and sentences were reconstructed for clarity. AC. L1-3.1.1 Authorized Access Control and AC. L1-3.1.20 External Connections has seen no changes to the body of the regulation. The wording “FCI Data” was added to all the regulation headings. This makes it very clear which level of CMMC you are currently navigating. When doing CMMC Level 2 and your company does this self-assessment section, the wording will change to “CUI Data” to reflect the Level 2 certification status.
The numbering of the regulations has been changed in the new document; the first four identifying numbers have stayed the same, while the numbers after the dash have changed.
Another change seen throughout the document is from the word “contractor” to “OSC,” Organization seeking Certification.
In the newly released CMMC, the following three regulations: PE. L1-3.10.3 Escort Visitors, L1-3.10.4 Physical Access Logs, PE. L1-3.10.5 Manage Physical Access are combined into one subject PE. L1-B.1.IX – Manage Visitors & Physical Access [FCI Data]. However, the “PE. L1-B.1.IX – Manage Visitors & Physical Access [FCI Data]” has all the old regulations as sub regulations. This means that you will still have to comply with them all.
List of Level 1 subject changes
Conclusion
The changes in the CMMC Level 1 document seem insignificant, and in scrolling through the document, you might be tempted to think that everything has stayed the same. The changes that were made show the DOD’s effort in creating a clear document. The wording leaves little room for misinterpretation. As we come to the end of the public commenting period in February, the document is expected to be accepted with very few additional changes. I advise contractors to start their CMMC journey now, avoid the rush, and get their cybersecurity program ready to comply.
Visit our store to sign up for the CMMC Level 1 Readiness Assessment.
