CMMC Level 2 , “Advanced” corresponds to contractors with CUI that doesn’t involve the highest level of sensitivity.  There are four main ways that CMMC Level 2 differs from FISMA:  the types of systems addressed, the control frameworks, the assessments, and the expectations for compliance.

 

  1. The types of systems addressed. FISMA is for Federal systems that are used by Government personnel or the public.  If a contractor provides outsourced IT services to a Federal agency, the system is considered to be a Federal system and FISMA applies.  In contrast, CMMC applies to non-Federal systems that are used internally by contractor personnel.  If a contractor’s system is incidental to the delivery of a broader service to a Federal agency (e.g., services that are not primarily information processing), then the system is a non-Federal system and CMMC applies.

 

  1. The control frameworks. FISMA uses the NIST SP 800-53 control baselines for its control requirements.  There are 261 controls related to confidentiality, availability, and integrity in the 800-53r4 moderate baseline, and 287 in the new 800-53r5 baseline.  The CMMC Level 2 control requirements consist of 110 NIST SP 800-171 controls.  The NIST 800-171 controls were summarized from the confidentiality controls in the 800-53r4 moderate baseline.  NIST SP 800-171’s focus strictly on protecting the confidentiality of CUI means that controls that were relevant to availability or integrity are not included in 800-171, and therefore aren’t included in CMMC.  For this reason, the CMMC Level 2 control set can be described as a subset of the FISMA control set.

 

  1. The assessments. FISMA entails independent assessments that are supposed to loosely follow the guidance in 800-53A.  In practice, however, the level of detail and thoroughness of FISMA varies considerably due to no specific requirements or quality control mechanisms in place to ensure standardization of assessment processes and approaches.  Furthermore, FISMA assessments are performed every year, with at least one-third of the controls assessed annually.  In contrast, CMMC Level 2 allows for annual self-assessments and requires an independent assessment only for a subset of contractors that handle “prioritized” CUI that is especially sensitive or critical.  For Level 2 systems that require an official, 3rd party assessment, the process is very formalized.  Assessments must follow a rigorous process to ensure consistency, and multiple levels of quality assurance are in place.  CMMC assessments can be performed only by highly experienced, trained, and specially accredited assessors that work under the oversight of formally accredited assessment organizations, under the oversight of the CMMC Accreditation Body (CMMC-AB).  A CMMC certification will last 3 years, so DoD contractors will need to undergo a full assessment of all CMMC control practices triennially.

 

  1. Expectations for compliance. FISMA is designed to identify and disclose unmitigated risk so that the system owner can make a risk-based decision about authorizing the system for use.  Accordingly, the Plan of Action and Milestones (POA&M) for FISMA simply list out the compliance gaps for the system owner’s review.  Whether the risks associated with non-compliance are acceptable is completely up to the system owner’s discretion.  In contrast, the DoD does not want to have to evaluate non-compliance to determine if the risk is acceptable, so there are constraints that make CMMC closer to a “pass-or-fail” framework with some  While the rules around this flexibility are still being hashed out, the DoD has indicated that gaps will be accepted in a POA&M only if they impact less-significant controls, and those gaps must be resolved within 6 months.  DoD has also indicated that a minimum score will be required to support a CMMC certification.  Again, further details and guidance are pending.