To better protect the Defense Industrial Base (DIB) from increasingly dangerous cyber threats, the US Department of Defense (DoD) will soon start including the Cybersecurity Maturity Model Certification (CMMC) 2.0 in new solicitations.
DoD contractors and subcontractors that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will be expected to safeguard sensitive information by following certain practices.
This article provides an overview of the required practices, the changes made since the initial release of CMMC 1.0, and the official implementation timeline, among other things.
The protection of sensitive information against both nation-states and non-state actors is a top priority for the DoD. This includes not only classified data, such as operational and battle reports or research documents, but also various unclassified data, from facility diagrams provided to construction workers to bills of materials for manufacturers.
By methodically collecting unclassified data shared by the DoD with contractors, a threat actor can gain useful insights that put national defense at risk.
The first comprehensive attempt to solve this problem came in 2017 with the release of the Defense Federal Acquisition Regulations Supplement (DFARS) for DoD contracts, which required all contractors and subcontractors handling CUI to comply with the NIST SP 800-171 framework and its 110 controls.
Unfortunately, DFARS failed to deliver the desired results because it relied on self-assessments and allowed contractors to create a Plan of Actions and Milestones (POA&M) for missing controls. The DoD course-corrected by releasing the CMMC 1.0 in 2020, completely abolishing self-assessments and going way beyond the NIST SP 800-171 framework.
After an internal assessment of CMMC’s implementation based on the feedback it received from the DIB, the DoD announced the CMMC 2.0 in November 2021.
CMMC 1.0 Versus CMMC 2.0
With the CMMC 2.0, the DoD aims to help get the assessment framework off the ground by cutting red tape for small and medium-sized businesses, many of which vocally criticized CMMC 1.0 for requiring too much time, money, and effort given their limited roles in the DIB.
Source: US Department of Defense
As the image above illustrates, the CMMC 2.0 contains only three maturity levels, down from five in the CMMC 1.0:
- CMMC 2.0 Level 1: The first CMMC 2.0 level mirrors the first CMMC 1.0 level, consisting of 17 basic cybersecurity practices for contractors that need to protect FCI but don’t store or process CUI.
- CMMC 2.0 Level 2: The second CMMC 2.0 level aligns with the NIST SP 800-171, consisting of 110 cybersecurity practices for contractors that store and process CUI.
- CMMC 2.0 Level 3: Finally, the third CMMC 2.0 level is based on the NIST SP 800-172, consisting of over 110 cybersecurity practices for contractors that store and process the most sensitive CUI.
In contrast with the original assessment framework, which didn’t allow any self-assessments whatsoever, the CMMC 2.0 lets Level 1 contractors conduct annual self-assessments. For select programs, Level 2 contractors can also conduct annual self-assessments, but otherwise they’re required to pass third-party audits on a triennial basis, and the same is true for Level 3 contractors.
POA&Ms are now allowed at all maturity levels, but they can only be used for certain non-critical cybersecurity practices. Senior executives of companies that decide to go the self-assessment route are required by the CMMC 2.0 to personally attest to the veracity of the self-assessment, which exposes them to the US Department of Justice (DoJ).
The CMMC 2.0 model documentation and assessment guides were released in December 2021. Since then, a formal rulemaking process has been underway. This process will be completed no later than November 2023, and CMMC 2.0 will become a contract requirement for all DoD contractors and subcontractors.
If that includes you, then don’t wait until it’s too late to implement the required practices and undergo the necessary assessment. Instead, find a reliable technology partner that can help you determine your compliance obligations and follow the NIST SP 800-171 or perhaps even the NIST SP 800-172 framework.
At Aligned Technology Solutions, we understand the challenges DoD contractors face, and we can provide the expertise necessary to overcome them. Contact us today to kick-start your CMMC 2.0 journey.