Everything DoD Contractors Need to Know about CMMC 2.0
The Department of Defense (DOD) recently announced a major update to the Cybersecurity Maturity Model Certification (CMMC) program, dubbed CMMC 2.0. The CMMC program is a comprehensive framework to protect the Defense Industrial Base (DIB) from increasingly frequent and complex cyberattacks from hackers and unfriendly nation-states.
The CMMC was developed to systematically assess and certify the maturity of an organization’s cybersecurity processes and procedures. According to the DoD, the streamlined version of CMMC 2.0:
- Cuts red tape for small and medium-sized businesses
- Sets priorities for protecting DoD information
- Reinforces cooperation between the DoD and industry in addressing evolving cyber threats
Evolution of CMMC
The CMMC was originally introduced in 2020 (CMMC 1.0) and was intended to address widespread concerns about the loss of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the Defense Industrial Base. Controlled unclassified information refers to information that is sensitive but not enough to be considered classified; federal contract information is information about a product or service to be provided to the government but is not for public release.
The CMMC 1.0 built upon DFARS clause 252.204-7012, which required federal contractors to maintain adequate security on all covered contractor information systems and comply with the 110 security requirements outlined in NIST 800-171. The DFARS Clause also required defense contractors to “self-attest” their compliance with this standard as well as to maintain a System Security Plan (SSP) and Plan of Action and Milestones (PoAM) to document security gaps.
The Cybersecurity Maturity Model Certification was developed to address some of the shortcomings of this original approach. It was determined that while the security standard of the National Institute of Standards and Technology Special Publication (NIST SP) 800-171 was appropriate, the DFARS clause lacked accountability. The self-attestation model and broad allowance for non-compliant items, such as PoAMs, meant that many defense contractors did not implement the standard, manage their security program, or remediate non-compliant items.
CMMC 1.0 sought to fix these issues by setting up a tiered system of requirements across five levels ranging from Level 1 (representing basic cyber hygiene) to Level 5 (representing advanced progressive cyber hygiene), removing the allowances for PoAM items, moving to an independent third-party certification model, and introducing significant documentation and governance requirements via process maturity requirements.
In time, however, having all five levels became too expensive and complex for most small to midsize defense contractors (SMBs), and as a result, CMMC 2.0 was born. CMMC 2.0 now encompasses only three levels of security – Foundational (Level 1), Advanced (Level 2), and Expert (Level 3 – consolidating and updating the previous standard.
The Three Levels of CMMC 2.0
CMMC 2.0 drops the number of CMMC levels from five to three by doing away with the old levels 2 and 4 originally developed as transition levels. The new CMMC 2.0 levels are based on the type of information DIB companies handle. Let’s take a closer look at these levels:
- Level 1 (Foundational): Nothing has really changed with this level in the newer model. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. Contractors or suppliers who only handle Federal Contract Information (FCI) are considered Level 1 since this type of information requires protection but is not critical to national security. Companies at this level must conduct annual security risk assessments, document results, and remediate the gaps to prove compliance. They may opt to self-assess or to use the services of a qualified third-party assessor. Although this is the lowest level, implementing these controls is not an overnight process, so contractors should remain diligent when doing so.
- Level 2 (Advanced): CMMC 2.0’s expert level is geared toward organizations handling CUI. Contractors now must comply with 110 practices (rather than the additional 20 practices previously added to the framework). Level 2 maintains full NIST SP 800-171 compliance but eliminates the bespoke CMMC requirements. For some contracts that must meet the Level 2 requirements, third-party assessments by a CMMC 3rd Party Assessment Organization (C3PAO) must be conducted every three years, while some contractors will be able to self-certify instead of utilizing a third-party assessment. However, the DoD hasn’t provided the criteria to determine the contracts selected for third-party assessment versus self-assessment.
- Level 3 (Expert): CMMC 2.0 Level 3 is designed for companies working with CUI on DoD’s highest priority programs. These organizations handle CUI, but they also likely handle secret and, potentially, top-secret information. Level 3 is focused on reducing the risk from Advanced Persistent Threats (APTs). Only a government-led assessment team can certify an organization to Level 3, not a C3PAO, and the DoD contractor must comply with 110+ practices based on NIST SP 800-172. Government-led assessments will be conducted every three years.
CMMC 2.0 Allows the Use of POA&Ms
A central sticking point for DIB contractors under CMMC 1.0 was the inability to demonstrate the intent for compliance through a Plan of Actions and Milestones (POA&M) – a document that identifies gaps and develops project plans set to address these gaps.
Under CMMC 2.0, the DOD has announced that it intends to allow contractors to use POA&Ms under certain limited circumstances to achieve certification. While the specific controls and circumstances where POA&Ms will be allowed have not been outlined, they will be aligned with the NIST SP 800-171 and the DoD Assessment Methodology.
Timeline for CMMC 2.0
The changes reflected in CMMC 2.0 will be implemented through the government rulemaking process, which can take anywhere from nine to 24 months. Companies will be required to comply once the forthcoming rules go into effect. While these rulemaking efforts are ongoing, the DoD is suspending all CMMC pilot efforts and mandatory CMMC certification. Further, the DoD will not approve the inclusion of a CMMC requirement in any DoD solicitation until the rulemaking process is complete.
Prepare for CMMC 2.0 Implementation
Although the CMMC 2.0 simplifies the requirements and minimizes them in both scope and expectations, getting certified is no easy feat. DoD Contractors need to spend time understanding the requirements and their environment and establish a repeatable, evidence-driven compliance process to achieve certification and make recertification in subsequent years easier.
Here are some ways you can prepare for CMMC 2.0 certification and improve your cybersecurity posture:
- Establish a technical boundary where controlled unclassified information is received, processed, and stored
- Document control implementations
- Define how CUI information will be shared with partners and government sponsors
- Produce and upload a DoD assessment score to the SPRS
- Document your organization’s security posture as compliant with current DFARS rules
- Identify gaps and remediation plans in your Plans of Action and Milestones
- Ensure the Cybersecurity Incident Response Plan (CIRP) is updated and tested annually
- Continually improve your cybersecurity posture
Contact us today for more information about Alvarez Technology Group and our IT services.