In November 2021, the Defense Department’s unified cybersecurity program for contractors was overhauled, with many of the program’s elements streamlined to make the process easier to understand. Although the goals of the initial CMMC program were ambitious, implementing version 1.0 was expensive and resulted in many smaller businesses being forced out of the Defense Industrial Base (DIB).
The new model shows a refocusing on the Controlled Unclassified Information (CUI) that the Department of Defense has determined is critical to investing time and resources in protecting.
Although further changes are not out of the question, it appears that 2022 will largely be a year of realignment for contractors as well as those tasked with ensuring and assessing compliance.
Here is a look at the basics of CMMC certification and assessment in 2022.
Who Needs CMMC Certification?
The rules have not changed regarding who must obtain CMMC certification. Any company that works as a contractor or subcontractor with the U.S. Department of Defense (DoD) must prepare to meet the requirements of CMMC if they wish to bid on and win contracts.
In addition, Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) that have clients who are part of the DoD supply chain and have access to their systems, network infrastructure or data will also need to uphold CMMC requirements.
For those further down the supply chain, the level of CMMC compliance needed will depend on how information flows from the prime contract to the third party.
All DoD contracts exceeding a micro-purchase threshold of $10,000 must have achieved CMMC certification by October 1, 2025.
What Level of CMMC Must I Meet?
The level of CMMC compliance an organization must meet is largely determined based on the amount of contact they have with Controlled Unclassified Information, or CUI, and the nature of that CUI. This may include things like:
- Weekly status reports
- Test reports
- Time – Compliant Technical Orders (TCTO)
- Program Protection Plans (PPP)
- Software source code
- Shipping locations
One important change to note is that CMMC 2.0 streamlines the model from five compliance levels to just three. The new model removes the previous Levels 2 and 4. CMMC Maturity Level 1 remains unchanged and still contains 17 practice requirements aligning with the 15 cybersecurity practices outlined in FAR 52.204-21.
However, the new Maturity Level 2 is replacing the previous Maturity Level 3 and will be aligned with the 110 practices outlined in NIST SP 800-171. The new Maturity Level 2 will no longer include the Delta 20 Practices.
The new Maturity Level 3, meanwhile, will take the place of the previous Maturity Levels 4 and 5 and is being developed based on a subset of NIST 800-172.
It is important to note that CMMC compliance does not have to extend to every element of the organization; it only needs to cover networks and information systems where CUI is created, processed, transferred or stored.
CMMC Assessments in 2022
The Department of Defense uses regular cybersecurity assessments of its contractors to gain assurance that all of the sensitive information that is shared with the Defense Industrial Base is sufficiently protected.
Here is what you need to know about CMMC assessments under CMMC 2.0.
Overview of Assessments
Under CMMC 2.0, tiered assessment requirements are used depending on the sensitivity of information that is shared with the contractor. Here is a look at who is responsible for assessments under CMMC 2.0:
- Contractors handling information that is deemed critical to national security and falling under Level 1 and a subset of Level 2 must perform annual self-assessments using clearly defined cyber security standards.
- Contractors who manage information considered critical to national security and falling under a subset of Level 2 must undergo third-party assessments.
- The most critical defense programs of Level 3 must undergo government-led assessments.
CMMC Self-Assessments
One of the most important changes in CMMC 2.0 is the changing of Level 1 certification, which covers basic cyber hygiene, to self-attestation, eliminating the need for undergoing outside assessments. Nevertheless, many contractors will still need to enlist the help of outside cyber security services to help them achieve compliance.
The Department of Defense sees Level 1, known as the Foundational Level, as a way of engaging contractors in developing or strengthening their cybersecurity approach. This level does not involve handling any sensitive national security information, so the DoD is now allowing companies to assess their own cyber security measures and introduce practices aimed at averting cyber attacks.
A subset of programs that have Level 2, or Advanced, requirements that do not involve information critical to national security, and their associated contractors, can also carry out self-assessments.
These self-assessments must be conducted on a yearly basis and carry affirmation from a senior official with the company that they are meeting the requirements. Companies will be required to register their self-assessments and affirmations in the Department of Defense Supplier Performance Risk System, or SPRS.
Third-Party Assessments
When CMMC 2.0 is fully implemented, contractors who fall under a subset of acquisitions that require Level 2 advanced cyber security standards because they handle information critical to national security must obtain third-party CMMC assessments.
The CMMC Accreditation Body, or CMMC-AB, will be in charge of accrediting CMMC Third-Party Assessment Organizations (C3PAOs) following their assessment from DoD. The accredited C3PAOs will be listed in the CMMC-AB marketplace.
Every organization that must meet these requirements is fully responsible for planning its assessment. Once it has been completed, the C3PAO will supply the Department of Defense with the assessment report.
Government Assessments
Organizations that must meet Level 3, or Expert, cyber security requirements must be assessed by government officials. The specific requirements are currently being developed.
Key Changes Introduced By The CMMC 2.0 Framework
Here is a look at some of the biggest changes that were introduced by the CMMC 2.0 framework.
Assessments
Under CMMC 1.0, all DoD contractors were required to undergo third-party assessments to assure CMMC compliance.
In CMMC 2.0, however, most contractors associated with the Foundational Level 1 and a subset of Advanced Level 2 programs will be permitted to carry out annual self-assessments using a self-assessment guide that is very similar to the NIST 800-171A.
Some experts have noted that contractors who do not have a strong security background will likely struggle to conduct the self-assessment on their own. Those with a lack of familiarity with cyber security may not be able to determine their boundary, implement the right controls and carry out a thorough self-assessment and will therefore need help from cyber security specialists.
In the self-assessment of a CMMC practice, there are one of three possible findings: Met, Not Met and Not Applicable. In order to demonstrate compliance with CMMC Level 1, contractors need to achieve a finding of either Met or Not Applicable on all of the Level 1 practices.
Not Applicable is appropriate when a practice does not apply for the self-assessment. For each practice that is marked as Not Applicable, a statement must be included explaining why the practice in question does not apply to this contractor. For example, SC.L1-3.13.5 could be considered Not Applicable if the contractor does not have any publicly accessible systems.
However, a portion of the Advanced Level 2 programs must undergo triennial third-party assessments. The Level 2 assessment guide is more complex and involved. Assessors and assessor organizations enlisted to support Advanced Level 2 companies receive their certifications and must be accredited by the CMMC-AB. Documentation and other types of proof will need to be presented by contractors to demonstrate that they are meeting security controls.
Meanwhile, Expert Level 3 programs need to undergo triennial assessments that are carried out by government officials. Further clarification is forthcoming, specifically regarding whether C3PAOs will assess the NIST 800-171 controls with the government-led portion being responsible for assessing the NIST 800-172 portion.
Assessment Ecosystem Oversight
Under CMMC 1.0, the Department of Defense reviewed CMMC-AB Conflict Of Interest policies. With CMMC 2.0 implementation, the DoD will approve CMMC-AB policies related to Conflict Of Interest that apply to the CMMC ecosystem.
Plans Of Action And Milestones (POA&Ms)
Before CMMC, organizations were allowed to delay their implementation of NIST 800-171 requirements if they were able to demonstrate that they intended to implement the controls on a specific date in the future. However, CMMC 1.0 took away the ability to have POA&Ms for practice requirements at the assessed maturity level.
With CMMC 2.0, POA&Ms are once again permitted on a limited basis. The highest weighted requirements on the SPRS point scale need to be fully implemented at the time of the assessment, however. The Department of Defense plans to publish a minimum SPRS score to support certification with POA&Ms.
This marks a retreat from the Pass Or Fail model used under CMMC 1.0 and allows organizations seeking certification the flexibility to pass certification assessments without implementing all of the required practices as long as they use POA&Ms that adhere to guidance that has yet to be issued.
Although this can be helpful in some circumstances, it is important to keep in mind that only a portion of the requirements will allow POA&Ms and it is unlikely to apply to the higher weighted requirements that tend to be the most difficult and expensive to implement.
Get In Touch With The Cybersecurity Professionals At Vaultes
Cyber security threats are constantly emerging and evolving, and it can be difficult for many Department of Defense contractors to stay on top of the latest compliance regulations.
At Vaultes Enterprise Solutions, our cyber security professionals are well-versed in the latest CMMC 2.0 requirements and can help your organization navigate the complex regulations in order to ensure compliance. We can review and explain the new policies to your organization and help you conduct a self-assessment or prepare for an official assessment to ensure that you will be able to maintain your government contract work under CMMC 2.0. Reach out today to discuss your organization’s needs.