Published: April 5, 2023
By TalPoint Marketing e-books
download pdfWhat to expect when CMMC 2.0 roles out
The cyber supply chain is increasingly becoming the weakest link in the cybersecurity infrastructure of defense contractors. Third parties and business associates, such as Cloud Service Providers (CSPs) that work as defense contractors, have long battled to create a reliable cyber defense for sensitive data processed on behalf of their clients.
The US Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC 1.0) framework in 2020 to help with this and to assure cyber resilience in its supply chain.
The CMMC framework is intended to assist Defense Industrial Base (DIB) contractors in better assessing and improving their cyber security posture by ensuring that all DoD contractors implement cyber security best practices to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
On July 17, 2021, the DoD announced the introduction of the CMMC 2.0, which would replace the current CMMC certification levels.
The most recent CMMC 2.0 features a few significant modifications that will ease some of the rigorous restrictions imposed by the prior model. The aim for CMMC, however, remains the same: to establish fundamental cyber hygiene requirements to protect sensitive data and create national cyber resilience.
This guide introduces the CMMC 2.0 model, the new levels of CMMC, and how to prepare for your CMMC compliance journey.
The Cybersecurity Maturity Model Certification, developed in response to the increasing cyber threat scenario, is an overarching standard for cybersecurity implementation throughout the Defense Industrial Base (DIB) and government contractors.
CMMC is also backed by federal universities and institutions, cybersecurity contractors, subject matter experts, and R&D facilities around the country. Its primary purpose is to raise and standardize cybersecurity standards throughout the US DoD supply chain and prevent cybercriminals from gaining access to high-value organizations via weaker linkages in the supply chain.
CMMC compels DoD contractors to undertake external security audits in addition to incorporating all well-known government cybersecurity standards such as the National Institute of Standards and Technology 800-171 (NIST 800-171), NIST SP 800-53, the International Organization for Standardization (ISO) 27001, ISO 27032, and Aerospace Industries Association (AIA) NAS9933.
The following are the most significant modifications to CMMC:
CMMC 1.0 had five levels of maturity. CMMC 2.0 eliminates the transition levels (Levels 2 and 4), resulting in a simpler model with only three levels.
For firms that do not handle Controlled Unclassified Information (CUI) but solely Federal Contract Information (FCI), CMMC 2.0 Level 1 (Foundational) remains the required level.
The original CMMC Level 3 has been replaced by CMMC 2.0 Level 2 (Advanced). This is the minimum requirement for contractors who work with CUI. However, it only covers 110 of the original Level 3’s 130 practices.
The more demanding standards of the original Level 5 are now included in CMMC 2.0 Level 3 (Expert). A small number of contractors will require this sophisticated degree of cybersecurity.
Every maturity level in the original edition of CMMC requires an official evaluation by a Certified Third Party Assessment Organization (C3PAO).
However, businesses now at CMMC Level 1 will no longer be required to undergo such an examination. Instead, they will do an annual self-assessment with senior leadership approval and submit it to the Supplier Performance Risk System (SPRS). As a result, small contractors will save a lot of money on assessment fees.
This is the most ambiguous change. The Department of Defense has proposed a “bifurcation” of the original CMMC Level 3 standards, prioritizing some acquisitions for third-party evaluation while allowing others to self-attest.
Despite the initial plan to branch out the requirements for Level 2 companies, it appears that the Department of Defense will drop this feature and require all Level 2 companies to be assessed by a Third-Party, according to DoD Deputy CIO David McKeown:
“At level two, this is where we started having controlled unclassified information,” McKeown said on February 10. “We thought maybe we could bifurcate this into the types of QE (qualified entities) that were really important to the department and the ones that were not. But in the end, when we did the analysis, it looks like a universe of about 80,000 companies that are going to fall into this bucket here. Probably all of them will have to get a level two assessment.”
What that means for your organization remains to be seen until more clarification is released. In the interim, it’s prudent to plan as though all CMMC Level 2 (previously Level 3) firms will need a third-party evaluation.
This has a direct impact on contractors that handle CUI. The initial CMMC requirements added 20 more practices to the NIST SP 800-171’s original 110. These 20 additional criteria have now been eliminated.
CMMC 2.0 no longer includes the prior version’s maturity processes. This significantly reduces the amount of documentation necessary and eliminates most of the uncertainty in the previous paradigm.
The old edition of CMMC needed a perfect score. However, like previous Defense Federal Acquisition Regulation Supplement (DFARS) mandates, contractors may now submit a time-bound “Plan of Action and Milestones” to address specific areas of noncompliance.
This implies that a perfect compliance score is no longer required to gain certification. Instead, you can give a specific, time-bound strategy to remedy any gaps in your compliance. You will be reassessed after a period designated by the DoD to ensure the PoAM issues have been fixed.
CMMC certifications now fall under one of three levels associated with the National Institute of Standards and Technology (NIST) cybersecurity framework, rather than the five compliance levels described in CMMC 1.0:
Level 1 assessment requirements dictate that companies adopt fundamental measures to prevent cyberattacks. They may, however, be able to implement these activities ad hoc without depending on paperwork and are permitted to achieve certification through an annual self-assessment.
As a result, C3PAOs do not measure level 1 process maturity. Because activities at this level are primarily concerned with the protection of FCI, level 1 only contains practices that fulfill the fundamental safeguarding standards outlined in Title 48 of the Federal Acquisition Regulations (CFR)
Contractors and subcontractors for the Department of Defense who handle Federal Contract Information (FCI)
Level 2 mandates businesses describe their processes to steer their efforts toward CMMC Level 2 maturity. This documentation must also make it possible for users to replicate these processes.
Level 2 procedures are defined as advanced cyber hygiene practices (sometimes known as intermediate cyber hygiene) and are a step up from level 1. Level 2 compliance assessment standards vary depending on whether the CUI data handled is essential or non-essential to national security.
For example, organizations with prioritized acquisitions that address vital national security data must undergo a higher-level third-party assessment with a C3PAO every three years. In contrast, non-prioritized assets with non-critical national security data must complete an annual self-evaluation.
Level 2 compliance is required for DoD contractors and subcontractors that handle the same sort of Controlled Unclassified Information (CUI). The subcontractor may be subject to a lesser CMMC level if the prime merely passes down specific information.
The level 3 CMMC model decreases a system’s vulnerability to Advanced Persistent Threats (APTs) by compelling an organization to develop, implement, and finance a strategy to manage the activities required to implement its cyber security practices.
This plan may include information on various subjects, such as objectives, missions, projects, resourcing, training, and the participation of organizational stakeholders.
This level’s cybersecurity measures are solid cyber hygiene procedures that focus on protecting CUI. However, they include the security standards specified in NIST SP 800-171 and the additional 20 practices for CMMC level 2.
DFARS 252.204-7012 remains in effect, imposing additional duties beyond NIST SP 800-171, such as reporting security incidents.
Although the DoD is presently establishing its security criteria, it is akin to CMMC 1.02 Level 5. However, it has already been stated that the Level 3 standards would be based on NIST SP 800-171’s 110 controls and a portion of NIST SP 800-172 controls.
Companies that manage CUI for DoD programs with the highest priority are subject to CMMC 2.0 Level 3.
The CMMC ecosystem is constantly changing and includes many moving elements. Depending on the CMMC level your firm must attain, you must demonstrate CMMC compliance through self-assessment or be examined and certified by a third-party organization or DoD authorities.
Only a few organizations must certify their compliance through a third-party organization, specifically CMMC level 3 and some level 2 companies.
The US Department of Defense has designated the CMMC Accreditation Body (CMMC-AB) to be the single official source for the successful implementation of CMMC Assessments and Training with the DOD contractor community. This organization changed its name to The Cyber AB in June 2022.
There are two types of organizations you may face on your path to certification. The Cyber AB has trained and registered/certified both of them:
Each organization, scope, implementation, and certification is unique since it is determined by several elements such as timeframe and cost. Among the most critical factors are the following:
While these considerations affect timing, the typical example of the CMMC implementation timetable and the CMMC certification procedure below will give you a fair picture of the required stages and some time estimates.
In this phase, you will determine the company goal and analyze the current state vs. the requirements.
Among the items considered are the following:
This includes the following:
This phase typically takes 6-8 weeks (CMMC Level 1) to 6-12 months (CMMC Level 2), mainly relying on the company and its current information security posture. Implementation of CMMC Level 3 will take at least 12 months.
The CMMC Levels after 1 need proof of system maturity. Therefore, you will need time after the implementation phase to create the proper Certified 3rd Party Organization (C3POA) of your choice to conduct the Certification Assessment.
This phase is also utilized to make necessary modifications and enhance procedures.
A Certified 3rd Party Organization (C3POA) of your choice will conduct the Certification Assessment.
The complete assessment procedure will take 6-8 weeks and will be divided into three steps:
The C3PAO will submit its results to the Cyber AB (previously the CMMC Accreditation Body), which will offer you accreditation.
This phase does not apply to you if you only have CMMC Level 1 requirement or if you fall into the subset of Level 2 that does not contain information necessary to national security.
Consider the following strategy for achieving CMMC compliance.
Verify the projected maturity level and validate your audit requirements. Determine major compliance deadlines and begin your program immediately.
Confirm your maturity level and audit criteria with the procurement office, and look for updated contract material that confirms your requirements.
TalPoint experts can walk you through every facet of the CMMC program lifecycle. This involves identifying needs, developing implementation standards, creating controls, preparing for audits, and more. With the right expertise in your back pocket, you can substantially lower risk of non-compliance while meeting your compliance deadlines.
Depending on your level, this will range from a subset of NIST SP 800-171 to the NIST SP 800-171 110+ practices. The Department of Defense intends to provide fundamental requirements by May 2023; however, you should immediately start because the program will include urgent implementation needs.
This strategy serves as the foundation for NIST SP 800-171 compliance. The SSP can be integrated into your existing cybersecurity initiatives, but it must meet all your levels 1-3 standards.
This document explains why you cannot meet standards, the activities you are doing to resolve the weaknesses, and the plan implementation dates.
If your contract specifies audit requirements, contact a certifying body early in the development of your CMMC program. Due to the scarcity of certified auditors, audits must be scheduled months in advance. We propose establishing a connection immediately to ensure that the scope, timeframe, and program expenses are all well-defined.
It is not enough to develop a program; all users must be educated on new CMMC cybersecurity and workflow standards. Instead of hour-long yearly classes that result in minimal retention, try a drip program that includes monthly micro lessons. Make a role-based program that focuses on interacting with CMMC-classified data.
Organizations that are not subject to external audits should develop a self-evaluation procedure. A successful self-assessment program considers all SSP criteria and then assesses the items regularly. The frequency and depth of testing are determined by risk and compliance requirements.
By partnering with TalPoint, you gain access to our private network of leading cybersecurity experts that can help you assess the unique needs of your organization and execute a comprehensive compliance certification program.
Our compliance and cybersecurity experts can also assist with your self-assessment, if required, and submission to SPRS; and help your company in preparation for your third-party certification audit, if required.
Charlies is a 14 year cyber security expert. He started his career in the U.S. armed forces and then transitioned into commercial roles. A security engineer by training, he's well-versed in tool deployment and administration.
Ellen bring a decade of GRC expertise to the TalPoint community. She's knowledgeable on a variety of frameworks and employs a methodical approach to compliance. She's available for needs assessments, gap assessments, internal audits, and for certain frameworks running independent 3rd party audits.
Zachary bring a 20+ year career in risk management to the TalPoint community. He's worked across healthcare, finance, and supply chain manufacturing. His broad experience offers both a holistic view of risk as well as a common sense approach to risk management.