What is CMMC 2.0? An Exclusive Look
by Christopher Trick, on Nov 19, 2021 7:04:18 PM
Unlock the secrets of the latest update to the Cybersecurity Maturity Model Certification (CMMC) and find out how it provides strengthened security of unclassified data against hacker attacks.
What is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification.
Developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment, university-affiliated research centers (UARCs), federally funded research and development centers (FFRDCs), and industry, the CMMC is a security assessment and verification standard for defense contractors serving the Department of Defense (DoD).
The CMMC was first announced in January 2020, aimed at the more than 300,000 companies that make up the defense industrial base (DIB). The intent is to assess the security levels of companies in the DIB to protect controlled unclassified information (CUI) and federal contract information (FCI) against cybersecurity attacks, so crucial data is not intercepted by hackers or enemies of the United States.
(Controlled unclassified information (CUI) refers to information that is sensitive but not enough to be considered classified; federal contract information (FCI) is information about a product or service to be provided to the government but is not for public release.)
The CMMC mandates that contractors and subcontractors undergo security audits by third-party assessment organizations (CP3AOs) to verify compliance with DoD cybersecurity standards.
During the audit, the CP3AOs assess the cybersecurity measures of companies and relate the results to the DoD, informing the department of any potential security risks that would result from the release of CUI or FCI.
For a more in-depth analysis of CMMC, click here. `
The evolution of CMMC
CMMC Version 1 (V1) had five compliance levels of security--Basic (Level 1), Intermediate (Level 2), Good (Level 3), Proactive (Level 4), and Advanced (Level 5)--with each adding another layer of protection for the company that adheres to it.
In time, however, having all five levels became too expensive for most small businesses, and as a result, CMMC Version 2 was born.
CMMC 2.0, released in November 2021, now encompasses only three levels of security--Foundational (Level 1), Expert (Level 2), and Advanced (Level 3)--consolidating and updating the previous standard.
All levels are evaluations of an organization's protective capacities against cyberattacks, with Level 1 being the lowest and Level 5 (CMMC V1) or Level 3 (CMMC 2.0)
Currently, documentation for CMMC 2.0 is public for review, and the DoD is waiting for feedback and revision before it can implement this new standard.
Here is a chart summarizing the differences between CMMC V1 and CMMC 2.0.
What is the goal of CMMC 2.0?
As with CMMC V1, protection of sensitive information and evaluating an organization's security measures is the primary focus of CMMC 2.0.
CMMC 2.0 differs from CMMC V1 as it seeks to:
- Simplify CMMC and enhance clarity on cybersecurity regulatory, policy, and contracting requirements
- Focus on third-party audit mandates and the most advanced cybersecurity measures of organizations that support essential programs in the aerospace and defense industries
- Increase DoD oversight of professional and ethical criteria regarding third-party assessment
A Closer Look at the Three Levels of CMMC 2.0
CMMC V1 focused on both practices and processes, with five levels for each to obtain certification.
But CMMC 2.0 eliminates processes and focuses only on practices, thus leaving only three levels.
Let's take a closer look at these levels:
Level 1: Basic Cyber Hygiene (Foundational)
This is the most basic level of certification and consists of several practices that correspond directly to essential safety conditions outlined in the Federal Acquisition Regulation (FAR).
Level One consists of 17 basic cybersecurity practices such as implementing Access Control as well as Identity and Authentication.
Other practices include:
- Asset Management (AM)
- Audit and Accountability (AA)
- Awareness and Training (AT)
- Configuration Management (CM)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PP)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (SAS)
- Situational Awareness (SA)
- System and Communications Protections (SCP)
- System and Information Integrity (SII)
The primary aim is to protect federal contract information, and it is mandatory for anyone looking to obtain a DoD contract.
The only people who will not have to obtain Level 1 are commercial-off-the-shelf (COTS) providers who do not receive federal contract information.
Level 2: Intermediate Cyber Hygiene (Advanced)
Level 2 requires recorded policies for each of the 17 practices covered by the certification and documentation for completing each practice's policies.
It is a more extensive set of security practices--55 in addition to the 17 in Level 1--that are a subset of the NIST SP 800-171 requirements, which protect controlled unclassified information in the IT of government contractors and subtractors. (NIST stands for National Institute of Standards and Technology)
The goal is to create a basic sense of cybersecurity for any organization that has CUI, which requires a higher level of security than an organization with only FCI.
Level 3: Good Cyber Hygiene (Advanced)
The final level mandates an organizations establish and maintain a plan to implement the requirements of CMMC.
Level 3 includes all the practices included in Levels 1 and 2, the requirements stated in NISA SP 800-171 as well as NISA SP 800-172--which supplements NISA SP 800-171--and an additional 58 practices.
The primary objective is to enhance the security practices established in the previous two levels and expand an organization's overall security.
How CMMC 2.0 differs from CMMC V1
CMMC 2.0 represents three fundamental changes that refine the original program requirements:
A Streamlined Model: CMMC 2.0 focuses on the most critical requirements, condensing the model to 3 compliance levels instead of five. Additionally, it aligns with widely accepted standards, adhering to the National Institute of Standards and Technology's cybersecurity standards.
Reliability Assessments: Companies at Level 1 and a subset of Level 2 can demonstrate compliance through self-assessments, reducing assessment costs for third-party organizations. There is also increased accountability with increased oversight of the professional and ethical standards of third-party assessors.
Flexible Implementation: Under limited circumstances, companies can make Plans of Action and Milestones (POA&Ms) to achieve certification, fostering a spirit of collaboration among team members. CMMC 2.0 also allows waivers to CMMC requirements under certain limited circumstances, adding flexibility and speed to the certification process.
Next steps for CMMC 2.0
The Department of Defense intends to pursue rulemaking for CMMC 2.0 in Part 32 of the Code of Federal Regulations (CFR) and in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the CFR.
Both rules will have a public comment period, as stakeholder input is essential in meeting the goals of the CMMC program. The DoD will actively seek out the opinions of others as it strives towards full implementation of the new standard.
The Department is looking to suspend current CMMC Piloting during the rulemaking process and will not include any CMMC requirement in any contract before rulemaking is completed.
While rulemaking is underway, contractors are encouraged to enhance their cybersecurity efforts. The DoD is also looking to provide incentives to any company that obtains a CMMC certification during this time.
When will compliance become mandatory?
Compliance with CMMC 2.0 will not become mandatory until the rulemaking process is completed. The process is currently expected to take 9 to 24 months.
Until that time, the DoD is following the DFARS Interim Rule, meaning only a select few pilot contractors must comply with CMMC requirements.
But all organizations, irrespective of whether or not they must comply with CMMC at this time, should work toward implemeting NISA SP 800-171 regulations.
As soon as the rulemaking process and coding are complete, CMMC 2.0 will become a contractual requirement for all organizations looking to conduct business with the DoD.
How to prepare for CMMC 2.0
Companies that have already formulated their security systems plans (SSP), created POA&Ms, and computed as well as submitted their Supplier Performance Risk System (SPRS) score are in pretty good shape to make the shift toward CMMC 2.0.
For companies that haven't done so, here are some ways they can prepare and improve their cybersecurity posture:
- Establish a technical boundary where controlled unclassified information is received, processed, and stored
- Define how CUI information will be shared with partners and government sponsors
- Document your organization's security posture as compliant with current DFARS rules
- Document control implementations
- Identify gaps and remediation plans in your Plans of Action and Milestones
- Produce and upload a DoD assessment score into the SPRS
- Ensure the Cybersecurity Incident Response Plan (CIRP) is updated and tested annually
- Continually improve in all of the aforementioned areas until CMMC 2.0 is implemented
Security of information is an ever-present concern, especially when working in the aerospace and defense sector.
Companies that comply with cybersecurity standards ensure the safety of sensitive information, and they put forth an image of responsibility to the public and government officials.
Trenton Systems is aiming to surpass Level 2 of CMMC 2.0, reflecting our commitment to safe and secure high-performance computing.
Here at Trenton, we pride ourselves on continually improving our practices and products to provide our customers with the best experience possible.
Interested in learning more? Get in touch to discover how Team Trenton can arm you with the right tools to take on any mission with speed, agility, and maximum protection.