On November 4, 2021, the Department of Defense announced a major revision to the Cybersecurity Maturity Model Certification (CMMC), which impacts companies in the United States defense industrial base, or DIB companies.
Also known as CMMC 2.0, these changes to the CMMC framework simplified how defense contractors manage cybersecurity and certify their compliance.
The changes made national news headlines, as they both simplified and formalized the requirements for DoD contracts. They also have far-reaching impacts for all companies in the defense contracting sector.
In this blog post, we will provide a brief CMMC assessment guide which explores the main changes associated with CMMC 2.0, common assessment requirements, and what CMMC 2.0 means for companies seeking certification and full CMMC compliance.
The Complete CMMC Guide: Understanding CMMC
Before we dive into the main changes with CMMC 2.0, we’ll provide some CMMC guidance by explaining the reasons behind this assessment framework.
The NIST SP 800-171 publication is a cybersecurity standard published by a federal agency. It is available for use by government agencies and private companies to benchmark and control cybersecurity maturity.
The NIST standard forms the foundation of CMMC and was selected to help defense contractors protect the privacy and confidentiality of federal contracting information (FCI) and controlled unclassified information (CUI).
In announcing CMMC, the Department of Defense was responding to a growing number of cybersecurity breaches and incidents at government contractors, which were jeopardizing national security.
By implementing clear guidelines on the required levels of compliance with NIST SP 800-171 and third-party assessment requirements and audits, the Department of Defense is aiming to elevate the overall level of cybersecurity maturity in the DIB and improve the accountability and follow through by government contractors.
Why CMMC 2.0?
Industry observers have noted that CMMC 1.0 immediately created a compliance bottleneck, since large numbers of contracting firms required third-party assessments.
Additionally, the total number of CMMC Third-Party Assessor Organizations (C3PO) organizations was growing too slowly to meet the overall demand.
The Department of Defense (DoD) quickly responded to these realities and announced widespread changes with CMMC 2.0.
In short, CMMC 2.0 simplifies the overall compliance process and makes it less burdensome, especially for the tens of thousands of smaller companies that make up the bulk of the DIB.
The DoD realized that the spirit of law – that is, increased cybersecurity maturity and investment – could be just as easily achieved by embracing a tiered approach to the assessment methodology.
CMMC 2.0 acknowledges that there are big differences in risk management between smaller manufacturers and large and sophisticated prime contractors.
The CMMC 2.0 changes give companies more flexibility and allow them to make real, concrete investments in cybersecurity, without having to necessarily engage third party assessors or auditors.
Let’s now explore the most important changes with the new CMMC framework.
|Interested in learning more about CMMC compliance? Check out these blogs:
From Five Levels to Three Levels
The biggest change of CMMC 2.0 is the simplification of the CMMC levels of maturity, from previously five levels with CMMC 1.0 to now three.
Before, there was a lot of confusion amongst industry participants about where companies should focus and which level was preferred for CMMC guidance. It seemed there were too many levels and not enough distinction between each of them.
With CMMC 2.0, levels 2 and 4 of CMMC 1.0 were basically eliminated. The end result with CMMC 2.0 is a much simpler, three-level maturity model, with solid distinctions between each level, both in terms of the number of controls required and the process for certification.
Level 1: The New Foundational Level
Level 1 is designed for defense contractors that are smaller and have more limited budgets and sophistication.
This level is appropriate for companies that only handle federal contract information (FCI), which is the most basic form of information that flows from the Department of Defense down through the supply chain.
Companies that only have access to FCI are by their very nature at lower risk of breach and damage to the DoD.
Under CMMC 2.0, Level 1 organizations need to implement 17 different practice areas from the NIST SP 800-171.
These 17 controls are similar to the most basic cybersecurity controls implemented by MSPs such as NENS. A big difference with Level 1 is all companies at this level can self-attest to owning their compliance on an annual basis.
While a CMMC self-assessment is arguably at a lower bar, they are governed by the False Claims Act, which provides for significant civil penalties against organizations that provide false or misleading information about their level of compliance.
In 2020 alone, the Department of Justice obtained over $2.2 billion in settlements and judgements against companies under the False Claims Act.
Level 2: Advanced Level – Companies With Access to CUI
It is likely that most DIB companies will need to reach Level 2 compliance with CMMC 2.0.
Any company that has access to controlled unclassified information (CUI) during the contracting and supply chain process needs to reach Level 2 certification. Level 2 seeks to protect CUI and requires companies to implement 110 CUI controls.
For most organizations, complying with the additional 110 controls at this level requires months of planning and implementation work. This is where regulations like CMMC 2.0 make a difference in the cybersecurity posture for companies, hence the need for proper CMMC guidance.
All 110 controls will often require companies to not only make changes in their security processes, procedures, and technologies, but also to demonstrate months of production operation and internal auditing.
CMMC-AB has provided a Marketplace of Registered Providers Organization (RPO) to help Contractors navigate through this process. NENS has recently been approved and entered into that Marketplace as a CMMC RPO.
CMMC 2.0 envisions a “bifurcated” assessment methodology. Companies participating in “prioritized acquisitions” will require annual self-assessment, in addition to third-party assessments every three years.
Generally, subcontractors will learn from their prime contractors whether current supply agreements will fall under prioritized acquisitions.
Future RFPs and RFIs from general contractors may subject downstream suppliers to this higher standard to win new business.
Therefore, growth-oriented companies should work closely with their customers and prime contractors to understand how different supply agreements may be prioritized.
For companies working under “non-prioritized acquisitions,” the standard is an annual self-assessment similar to Level 1.
Level 3: Expert Level
The highest level in CMMC 2.0 is generally designed for prime contractors, those large companies that are working directly on the DoD’s “highest priority programs.”
Under CMMC Level 3, the federal government performs the required third-party assessment every three years. Organizations at this level need to comply with all of the cybersecurity requirements and controls spelled out in the more extensive NIST SP 800-171 standard.
CMMC 2.0 envisions situations where companies, especially at Level 2, identify deficiencies in compliance during a self or third-party assessment.
The DoD wants to create a culture of continuous improvement. The DoD does not want the supply chain to freeze up, while companies spend time investing in and improving their posture in accordance with cybersecurity requirements.
Therefore, organizations may identify a Plan of Action and Milestones (POAM), where the organization receives temporary certification – which is contingent upon the successful completion of cybersecurity improvements and controls.
What’s more, CMMC 2.0 is currently not yet fully in effect, but is in the official public comment period. It may take anywhere from 9-24 months from November 2021 for the official compliance deadline to take effect.
Since it may take months or more to implement the 110 controls for Level 2, organizations should move with haste to perform a CMMC self-assessment or engage a Registered Provider Organization (RPO).
Now is the time for defense contractors to identify deficiencies and needed improvements while leveraging the public comment period to ramp up their cybersecurity maturity.
Implementation Through Contracts
Once the public comment period is over and CMMC 2.0 is fully implemented, DoD contractors that handle sensitive unclassified DoD contracts and information will be required to achieve a particular CMMC level as a condition of contract award.
In order to provide the right level of CMMC guidance, CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor.
Upon implementation of CMMC 2.0:
- Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual CMMC self-assessments against clearly articulated cybersecurity standards.
- CMMC self-assessments are governed by the False Claims Act, which provides for significant civil penalties against organizations that provide false or misleading information about their level of compliance
- Contractors managing information critical to national security (a subset of Level 2) will be required to undergo third-party assessments every three years. These can be performed by accredited Third Party Assessment Organizations (C3PAOs) listed on the CMMC-AB Marketplace
- The highest priority, most critical defense programs (Level 3) will require government-led assessments every three years
Achieve CMMC Compliance With Help From a Proven Partner
Keep your communications safe with email security solutions from NENS.
Master the CMMC Assessment Guide With NENS
In this CMMC guide, we discussed what CMMC is, the many changes brought about by CMMC 2.0, and how the assessment requirements help DIB companies and organizations with DoD contracts become compliant.
As a trusted CMMC Registered Provider Organization (RPO), NENS can assist defense contractors with sorting out the complexities of CMMC 2.0 and begin the process of basic assessment and full CMMC compliance.
For more information on our CMMC guidance and assessment services, please contact us today for more information.