Concerning changes in the cybersecurity landscape have put immense pressure on agencies to evaluate their security policies. Government contractors are highly vulnerable to cyberattacks as hackers aim to steal sensitive information and disrupt the delivery of public goods and services, as well as aiming to compromise the mission of the warfighter. The development of the Cybersecurity Maturity Model Certification (CMMC) aims to reduce these concerns by creating a standard for implementing cybersecurity practices in the Defense Industrial Base (DIB).
CMMC version 1.0 was released by the U.S. Department of Defense (DoD) on January 31, 2020. On November 4, 2021, the DoD announced that several changes have been made to the CMMC program. A new version of the program, known as CMMC 2.0, is a result of the DoD’s internal review of the program since its initial release, along with a review of more than 850 public comments.
DoD contractors working toward obtaining CMMC version 1.0 certification should also familiarize themselves with CMMC 2.0 changes. Learn more about the CMMC program and how changes in version 2.0 will impact cybersecurity requirements for contractors.
What Is Cybersecurity Maturity Model Certification?
The CMMC is a program initiated by the DoD to measure the capabilities, sophistication and readiness of its defense contractors’ cybersecurity. The CMMC framework refers to a group of processes and inputs from established cybersecurity standards, such as FAR, NIST and DFARS, and has a primary objective of improving the security of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
More than 300,000 companies currently exist in the DIB supply chain. CMMC was created in response to the substantial compromises of sensitive information found on the systems or networks of contractors. The certification applies to “prime” contractors who directly engage with the DoD, as well as subcontractors whose contracts with primes result in the fulfillment of contracts. In the coming years, new contracts will be issued with requirements at all levels of the maturity model.
The CMMC version 1.0 framework consists of five levels of preparedness, ranging from the lowest level (level 1) to the most advanced level (level 5). Here is a summary of these levels and what they include:
CMMC 1.0 Level 1
Level 1 of CMMC requires contractors to perform “basic cyber hygiene” practices, such as ensuring that employees frequently change their passwords or implementing antivirus software on office computers. Level 1 compliance requires contractors to protect FCI, or information not intended for public release. Process maturity is not assessed at Level 1 as organizations may only perform these practices when deemed necessary and may not have documentation.
CMMC 1.0 Level 2
Level 2 requires contractors to perform “intermediate cyber hygiene” practices. This level serves as a progression from Level 1 to Level 3 and includes a subset of security requirements that are specified in NIST SP 800-171, as well as other standards and practices. Since Level 2 is a transitional stage, some practices reference the protection of CUI.
CMMC 1.0 Level 3
Level 3 requires contractors to perform “good cyber hygiene” practices. Contracts that wish to establish Level 3 certification must create, maintain and resource a plan that demonstrates the management of activities for the implementation of practices. This plan may include details about goals, missions, resources, project plans, training and possible involvement of stakeholders.
CMMC 1.0 Level 4
Level 4 requires contractors to review and measure “proactive” practices for effectiveness. Organizations that reach this level can take corrective action when needed and inform management of problems that develop on a recurring basis. A company must have implemented practices for measuring the effectiveness of procedures in relation to advanced persistent threats (APTs).
CMMC 1.0 Level 5
Level 5 requires contractors to perform “advanced or proactive” practices to optimize implementation across the organization. This level focuses heavily on the protection of CUI from APTs. It includes additional practices that enhance the sophistication and depth of the business’s cybersecurity capabilities.
What Is CMMC 2.0 And What Does It Mean For Contractors?
The Cybersecurity Maturity Model Certification is a new requirement for DoD contractors. The maturity model was meant to replace the self-attestation model of the past and move to a third-party certification process. CMMC 2.0’s overhaul called for a hybrid approach meaning some contractors will self-attest while others that process, transmit, or store more sensitive information, will require a Certified Third-Party Assessment Organization (C3PAO) to verify the contractors’ cyber hygiene is commensurate with the associated risk. The CMMC 2.0’s new requirements were designed to help reach the main goals of the internal review. These goals include the following:
- Gain public trust by maintaining a high degree of professionalism and ethical standards
- Safeguard sensitive information to protect the warfighter
- Install a collaborative culture of cyber resilience and security
- Enhance DIB security to guard against evolving cyber threats
- Create accountability while helping to minimize barriers to compliance with DoD requirements
While CMMC 2.0 has been published, not all companies will have to comply with CMMC 2.0 right away. The Interim DFARS rule has developed a phase-in-period over five years in which CMMC compliance is only necessary for certain pilot contracts. Only once CMMC 2.0 has been codified through rulemaking will contractors be required to adhere to the revised framework.
There are several reasons why changes were made to the original CMMC framework. The DoD received more than 850 public comments from Congress, the industry and stakeholders in response to the interim rule. Many of these comments focused on the need to enhance certification by reducing costs, increasing trust in the assessment ecosystem, and aligning cybersecurity requirements to other federal standards and requirements.
Once CMMC 2.0 has been implemented, the DoD will specify what CMMC level organizations will need to meet for a contract. Self-assessments, associated with CMMC Levels 1 and 2, will be required on an annual basis. Government-led and third-party assessments, associated with some CMMC Level 2 and all of Level 3, will be required on a triennial basis. CMMC assessments will be accepted only by accredited and authorized C3PAOs or certified CMMC accessors.
The cost of CMMC certification is based on a variety of factors, such as the CMMC level that the business is striving for, the complexity of the business’s unclassified network and various market forces. A new cost estimate for CMMC 2.0 will be developed by the DoD to account for all changes made to the program.
What Are The Differences Between CMMC 1.0 And 2.0?
The DoD has announced several changes to CMMC 1.0 that aim to streamline the model, provide a more flexible implementation and reduce assessment costs. Some notable differences seen in CMMC 2.0 include:
- The number of assessment levels is reduced from 5 to 3
- Oversight of third-party assessors is increased
- The number of required security practices is reduced
- Self-assessment is available at Levels 1 and 2 if the contractor does not handle “critical national security information”
- Required practices align with cybersecurity standards issued by NIST
- Timeline for compliance is altered and estimated to be between 9 and 24 months
- Plans of Actions & Milestones (POA&Ms) and waivers are allowed under certain conditions
With CMMC 2.0, contractors will be permitted to enter contracts with a POA&M to complete CMMC requirements. Contractors must meet a number of mandatory controls to be awarded a contract, with possible additional goals that would need to be completed within a specified timeframe.
As noted above, CMMC 2.0 contains just three levels compared to the five found in version 1.0. These levels include the following:
CMMC 2.0 Level 1
Level 1 of CMMC 2.0 will include the same 17 controls found in version 1.0 Level 1, which includes a limited subset of NIST 800-171. This only applies to businesses that handle FCI. CMMC 2.0 Level 1 is considered a foundation level and an opportunity for contractors to develop and strengthen their cybersecurity posture. Level 1 of CMMC 2.0 is achievable via self-assessment.
CMMC 2.0 Level 2
Level 2 of CMMC 2.0 consists of the 110 controls of NIST 800-171. This level will be divided based on the sensitivity of the information stored by the contractor. Contractors that are deemed to store CUI identified as “Critical National Security Information” will be required to have a third-party assessment every three years. For some contractors, an annual self-assessment may be sufficient.
CMMC 2.0 Level 3
The third and final level of CMMC 2.0 is still under development. However, it is believed that this level will contain more than 110 practices based on NIST 800-171. One of the biggest differences between CMMC 1.0 and CMMC 2.0 is that assessments at Level 3 are government-led. It is currently unclear whether this will be a joint effort between the government and a C3PAO, or solely the government.
What Should Defense Contractors Do To Prepare?
The DoD has not yet finalized rulemaking concerning CMMC 2.0; however, there are some things that defense contractors can do to prepare for certification. First, identify what CMMC level will need to be reached based on the type of data that the business handles. At a minimum, all defense contractors must meet the requirements of Level 1. Contractors that handle Controlled Unclassified Information will need to certify at Level 2 and if a business handles highly sensitive CUI, they will need to certify at Level 3.
To become certified, a business must prove that they have implemented the required practices. One way to gauge compliance is by conducting a gap analysis. A CMMC gap analysis or assessment occurs when a business identifies all current CMMC practices and processes and then compares them to the practices and processes required to optimize performance or meet compliance requirements.
Request A Consultation With The Experts At Vaultes
While the CMMC 2.0 is designed to simplify and lessen the requirements in both expectations and scope, becoming certified is still no easy feat. Defense contractors must familiarize themselves with CMMC requirements and their current IT environment to determine what steps they need to take to reach certification. For more information about CMMC 2.0, or to schedule a consultation with an experienced cyber security consulting firm headquartered in the Washington D.C. metro area, contact the experts at Vaultes.