The US Department of Defense updated their main website (OUSD A&S – Cybersecurity Maturity Model Certification (CMMC) (osd.mil)) to include an updated CMMC Model consistent with the information released on Nov. 4 about CMMC 2.0. They also released scoping guidance for CMMC 2.0 Levels 1 and 2, and a hashing approach for preserving evidence.
Among other changes, Level 2 of CMMC 2.0 drops the 20 “bespoke” CMMC controls that had been in Level 3 of CMMC 1.0, meaning it is limited to the 110 controls defined in NIST SP 800-171. The CMMC domains are also reorganized, with 3 of the domains (Asset Management, Recovery, and Risk Management) dropped. CMMC 2.0 also adopts a new numbering scheme for each practice (DD.L#-REQ, where DD is the domain abbreviation, L# is the level number (e.g., L2), and REQ is the NIST SP 800-171 or 800-172 security requirement number).