CMMC 2.0: What You Must Know for Compliance

Data protection is essential for every organization. For organizations with government contracts, data protection and overall cybersecurity posture can be a matter of national security. In November 2021, The Department of Defense announced enhancements to its upcoming cybersecurity framework: The Cybersecurity Maturity Model Certification (CMMC). 

CMMC 1.0 was announced in 2020, but the Department of Defense (DoD) updated the framework in response to industry comments, Congress, and other federal agencies. The updated set of standards is known as CMMC 2.0. However, CMMC 2.0 will not be enforced until it completes an extensive rulemaking process, which takes between nine and 24 months.

The CMMC framework creates a set of tiered cybersecurity standards that will apply to government contractors to ensure that the 300,000+ companies in the defense industrial base (DIB) supply chain maintain a strong cybersecurity posture. The three-tiered system is based on the contractor’s access level, with each tier requiring different assessment levels and requiring specific practices.

Companies with government contracts can start preparing for compliance now. The DoD has developed Project Spectrum to help organizations evaluate their posture and make necessary changes. 

Additionally, LogicGate’s Risk Cloud® platform can help organizations better understand their overall GRC status. CMMC 2.0 is closely aligned with NIST 800-171 and NIST 800-172, so complying with these frameworks will make significant progress towards future CMMC compliance.

It’s essential for any organization with government contracts or plans to acquire them, to prepare for compliance now. Read on to learn everything you need to understand about this critical new cybersecurity framework that will impact any organization with DoD contracts.

The Background and Evolution of CMMC 2.0

A 2018 research paper was released by Mitre Corp, with the support of the DoD, entitled, “Deliver Uncompromised: A Strategy for Supply chain Security and Resilience in Response to the Changing Character of War.” The study highlighted the increased level of threats facing the DoD network, information, and supply chain. In addition, the paper included specific recommendations on how the DoD can minimize these threats by enacting more robust cybersecurity measures for every third party it contracts. 

The paper motivated DoD to launch CMMC 1.0 on January 21, 2020, to dictate how government contractors must protect and secure access to all DoD assets. The goal of CMMC is to establish a set of robust security standards as pre-existing criteria before the DoD reviews other competitive factors, such as scheduling, performance, and cost. 

“Risk-based security should be viewed as a profit center for the capture of new business rather than a ‘loss’ or an expense harmful to the bottom line.”

— Mitre Corp in its paper, “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War.” 

 

However, CMMC 1.0 drew criticism from industry experts and other government officials. CMMC 2.0 was later announced in 2021 as a response to these comments. The goal of the updated version of the framework is to:

• Reduce compliance costs, primarily for small businesses
• Increase overall trust in the CMMC ecosystem
• Clarify and align cybersecurity requirements with other federal requirements and dominant frameworks, such as NIST 800-171 and NIST 800-172

A significant change with CMMC 2.0 is that it will not be enforced until it has completed the rulemaking process. Additionally, tiers that allow for self-assessment will not require attestation by corporate executives, which puts renewed focus on the business-wide emphasis on excellent cybersecurity.

So, when is the CMMC compliance deadline? CMMC 2.0 will be implemented through a rulemaking process before becoming a requirement. The DoD has suspended its original CMMC piloting efforts, and the new framework will not be a requirement until formalized, except for select pilot contracts. Once complete, CMMC 2.0 will be a requirement. 

Who is Affected by the Updated CMMC Framework?

CMMC 2.0 will apply to all third parties within the defense supply chain, including contractors, vendors, and any other contracted third parties related to the support of the DoD. 

Once the rulemaking process is complete and CMMC 2.0 is enforced, organizations will undergo assessments based on these levels to ensure they have a strong cybersecurity posture. 

What is the Purpose of CMMC 2.0?

The CMMC framework was established in response to the growing number of cybersecurity threats, attacks, and vulnerabilities targeting DoD contractors. Successful attacks gave malicious actors backdoor access to sensitive information assets, some of which are threats to national security. 

CMMC 2.0 creates a unified framework for future DoD acquisitions. The intent is to mandate uniform and effective cybersecurity practices for all contractors. CMMC will also be incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS), which is used to award contracts. CMMC intends to serve as a verification mechanism to:

1. Ensure appropriate levels of cybersecurity processes and practices are in place, including basic cybersecurity hygiene
2. Protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI)

CUI is information that requires safeguarding or other dissemination controls under applicable laws, regulations, or government-wide policy. The CUI Registry discusses the specific types of information that must be protected, with a list ranging from Critical Infrastructure to International Agreements.

FCI is information not intended for public release and is provided by the government under contract to develop or deliver products or services to the government. You can view more information about FCI on the official government website. 

DoD contracts have access to either or both CUI and FCI. Access to these types of information necessitates the enforcement of effective cybersecurity, as detailed by CMMC.

An Overview of the CMMC 2.0 Framework

The original CMMC had five maturity levels, but the enhanced CMMC 2.0 has reduced them to three tiers. CMMC 2.0 also eliminates all maturity processes and unique CMMC 1.0 security practices, instead aligning closely to NIST frameworks. 

The new tiered-based assessment process introduced with CMMC 2.0 calls for three tiers of assessments based on the level of information access. These assessment levels can be summarized as follows:

• Level 1 - Foundational: This level requires an annual self-assessment that has attestation from a corporate executive.
• Level 2 - Advanced: This level is aligned with NIST SP 800-171. Triennial third-party assessments are required for contractors with critical national security information. Select contracts in a subset of this level will only require annual self-assessments with corporate attestation. 
• Level 3 - Expert: This level is aligned with NIST SP 800-172 and will require triennial government-led assessments. 

Additionally, CMMC 2.0 has 14 domains, down from 17 in CMMC 1.0. The new domains are closer aligned with NIST:

1. Access Control (AC)
2. Awareness & Training (AT)
3. Audit & Accountability (AU)
4. Configuration Management (CM)
5. Identification & Authentication (IA)
6. Incident Response (IR)
7. Maintenance (MA)
8. Media Protection (MP)
9. Personnel Security (PS)
10. Physical Protection (PE)
11. Risk Assessment (RA)
12. Security Assessment (CA)
13. System and Communications Protection (SC)
14. System and Information Integrity (SI)

The CMMC model measures the implementation of cybersecurity requirements at three levels. In addition to the assessment requirements discussed above, each level consists of a set of CMMC practices:

• Level 1: Encompasses the basic safeguarding requirements for FCI specified in FAR Clause 52.204-21.
• Level 2: Encompasses the security requirements for CUI specified in NIST SP 800-171 Rev 2 per DFARS Clause 252.204-7012 [3, 4, 5].
• Level 3: Information on Level 3 will be released later and will contain a subset of the security requirements specified in NIST SP 800-172 [6].

How to Prepare for CMMC 2.0

Similar to the original CMMC 1.0, any organization with government contracts must comply with CMMC 2.0 once the rulemaking process has been completed. If your company has or is in the process of having government contracts, your first action should be to understand the data classification (CUI and FCI) to determine your CCMC level. 

Once you’ve determined your organization’s current or prospective DoD contracts, you need to begin evaluating your cybersecurity posture and address any vulnerabilities. A GRC platform can help you gain a deeper understanding of potential issues and identify strengths in the following areas:

• Threat Assessment: Evaluate strengths, vulnerabilities, and gaps in existing cybersecurity practices for CMMC readiness.
• Process Management: Provides a centralized information security risk management tool and platform to manage processes and practices across specified domains effectively. 
• Access Control: Manage differentiated access to CUI with varying levels of approvals across individuals or departments.
• Incident Reporting and Mitigation: Provide relevant parties with the reporting, incident management, and mitigation tools needed to safeguard DoD assets.
• Cross-divisional collaboration: Facilitate collaboration, coordination, and information sharing across divisions to ensure effective compliance.
• Reporting: Serve as a repository for information required by DoD for third-party verification or auditing purposes.

With the change in approach to enforcing CMMC for all new contracts after the rulemaking process, CMMC 2.0 alignment needs to be a top priority in the next few quarters. Utilizing a GRC platform to help facilitate these conversations and demonstrate compliance can help accelerate this process. As part of our holistic Controls Management and GRC platform, Risk Cloud, we offer a robust, stand-alone, CMMC Self-Assessment Application that allows your organization to conduct a readiness assessment and identify and manage gaps in your compliance with the framework. You can also conduct and output a Plan of Action & Milestones and carry out remediation before formal assessments to provide a clear picture to your Government counterparts as part of the overall compliance discussion. Request a demo to start preparing today and give your organization a head start.