CMMC 2.0 - Delta 20 Practices
CMMC 2.0 - Delta 20 Practices: Important Distinction for Organizations Seeking Certification (OSC)
While CMMC 2.0 eliminates the 20 additional practices that was part of CMMC 1.0 - aka the Delta 20 practices, it is important that OSCs realize that some of the Delta 20 practices are already a part of the 110 practices of NIST 800-171. Using specific practices from the Delta 20 practices, I have provided example mappings below showing how some of these Delta 20 practices are already a part of the 110 practices of NIST 800-171.
NIST SP 800-171 Contains the Delta 20 Practices.
| Delta 20 Practices | NIST SP 800-171 Mapping | Mapping Comments |
|---|---|---|
| IR.2.094 Analyze and triage events to support event resolution and incident declaration: The assessment objectives of this practice include analyzing events, performing correlation analysis on events, providing a process for reporting events so that events can be triaged, analyzed, and addressed; and escalating events to the appropriate stakeholder, as needed. | IR.3.098 - Incident Tracking: The assessment objectives of this practice include tracking, documenting, and reporting incidents. | Incidents cannot be reported without events triage. So, the delta 20 practice -IR.2.094, is already part of the 110 practices in NIST SP 800-171 - IR.3.098. |
| IR.2.097 Perform root cause analysis on incidents to determine underlying causes: The assessment objectives of this practice include - the organization has a post-incident response activity, and the organization determines the root cause of incidents. | IR.3.099 - Incident Response Testing: The assessment objective summary of this practice checks that incident response capability is tested. | Incident response capability testing cannot be completed without an incident root cause analysis. So, the delta 20 practice -IR.2.097, is already part of the 110 practices in NIST SP 800-171 - IR.3.099. |
| SC.2.179 Use encrypted sessions for the management of network devices: The assessment objectives of this practice checks that the tools used for establishing remote connections to network devices use encryption. | AC.3.014 - Remote Access Confidentiality: The assessment objectives of this practice includes: Cryptographic mechanisms to protect the confidentiality of remote access sessions are identified and implemented. | The delta 20 practice -SC.2.179, is already part of the 110 practices in NIST SP 800-171 - AC.3.014. |