Skip to main content
All CollectionsFrameworksCMMC
CMMC Framework Updates
CMMC Framework Updates

What you need to know about the CMMC framework updates releasing on 10/16/2024.

Updated over 2 months ago

Overview

Initially, Drata provided CMMC 2.0 as a requirements-only framework, where you managed your own controls, policies, and risks. However, with the 10/16/24 CMMC 2.0 control mapping release, we will provide full framework support so that the CMMC 2.0 product has all the automation and enablement resources that Drata offers.

If you already had CMMC 2.0 prior to 10/16/24, you may experience a change in your framework readiness when the updates are released.

Read on to learn about the updates and your action items on release day.

Pre-release Framework

Please note that Drata is offering CMMC 2.0 as a pre-release framework, which we define as a framework that has not yet been finalized as a regulatory or compliance standard. CMMC 2.0 is a pre-release framework because the U.S. Department of Defense still has the framework in the rulemaking process and has suspended certifications. As such, there is a chance that upon the official release of the framework, there may be changes to the current requirements, which Drata will implement soon after.

The framework also includes only the Level 1 and Level 2 baselines. Level 3 has not yet been released by the DoD.

Updates to this framework in Drata

Here is an overview of the resources/features included in the CMMC 2.0 framework:

Resource

Details

Level Picker

Select you baseline between Level 1 or Level 2

Requirements

110

Mapped DCF Controls (Total)

195

Newly-provisioned DCF controls*

26

DCF Control Updates*

16 Name Updates

63 Description Updates

18 Control to Policy Mapping Updates

Policies

23 policy templates are associated with this framework:

  • Acceptable Use Policy

  • Asset Management Policy

  • Backup Policy

  • Change Management Policy

  • Data Classification Policy

  • Data Protection Policy

  • Data Retention Policy

  • Encryption Policy

  • Incident Response Plan

  • Information Security Policy

  • Logging and Monitoring Policy

  • Maintenance Management Policy

  • Network Security Policy

  • Password Policy

  • Physical Security Policy

  • Risk Assessment Policy

  • Software Development Life Cycle Policy

  • System Access Control Policy

  • System and Information Integrity Policy

  • System and Services Acquisition Policy

  • System Security Planning Policy

  • Vendor Management Policy

  • Vulnerability Management Policy

* The new controls and control revisions are not specific to CMMC 2.0. You may already have the new controls and control revisions as part of another framework.

Next steps to take on 10/16/2024

If you are a customer with CMMC prior to the release of the full framework support, you may experience a change in your readiness score because of the newly-added controls. You can mark the new controls we added to your account out of scope if you don’t want to use them, but we recommend reviewing these new controls and associated mappings first, which were created by Drata’s GRC experts to help you in implementing this framework.

Your readiness score may have also changed because of policy templates that we have added to your account for this framework, which you may not have had before. We recommend reviewing these policy templates and incorporating them into your compliance program, but you can also choose to archive them if you want to use your own policies.

Here’s an overview of action items to take:

  1. Assess all additional DCF controls to determine if they are applicable or relevant to your organization. If they are not or if you want to continue managing your own control set as-is, you can mark them out of scope.

  2. Additionally, some controls have received updated templates. Revert to the latest template for the most accurate information and guidance.

  3. Review any additional policy template, edit as appropriate, and approve them. Once approved, send them to your personnel for acknowledgement, if applicable. Otherwise, archive them.

Did this answer your question?