In Nov 2021, the Department of Defence (DoD) revised CMMC 1.0 to CMMC 2.0, making massive changes. Aimed at making CMMC Compliance easier, the DoD reduced the levels from 5 to 3. Since there are a lot of technicalities involved, we, at Intersec, attempt to bring in the latest and most comprehensive information to you.
So, we will start with the most basic question:
Developed by the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) is a comprehensive standard for benchmarking and implementing cybersecurity across the defense industrial base (DIB). The Defense Industrial Base (DIB) includes over 300,000 companies working in the supply chain.
The CMMC Standards are the DoD’s way to secure and protect sensitive defense information shared with the Contractors working with DoD.
The latest CMMC Framework (CMMC 2.0) contains 3 levels as following
Before the CMMC, the onus of implementation, monitoring, and certification of the security of the information technology system and the information stored and relayed through those systems rest with the Contractors under Defense Industrial Base.
The Contractors were responsible for implementing and maintaining critical cybersecurity infrastructure and aligning with the security compliance as required.
The new CMMC standards outdate this model by segregating CMMC compliance into 3 levels depending upon the criticality of the information shared with contractors. As mentioned, the latest CMMC framework has 3 levels, namely level 1 (Foundational Level, Level 2 (Advanced Level), and Level 3 (Expert Level). The third-party assessment of Contractors’ compliance is mandatory for CMMC level 3.
The Department of Defense works with more than 300000 companies listed under the Defense Industrial Base. These companies work closely with DoD to develop complex weapons, aircraft, missiles, and submarines, to products as simple as shoes for defense personnel.
Working with DIB involves sharing critical information with these contractors. And, a leak of such critical information may pose risks to the interests of the US. The DoD acknowledges that the leakage of Controlled Unclassified Information (CUI) from the Defense Industrial Base has increased the risk for the US economy and National Security.
Working closely with Defense Industrial Base, the Department came up with detailed measures to protect, control, and reduce the risks that may result from the loss of critical Controlled Classified Information from DoD’s unclassified networks.
The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) framework is the result of these efforts and contains protective measures and guidelines to ensure the security of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
Controlled Unclassified Information (CUI) is a class of unclassified information within the U.S. Federal government that requires safeguarding or dissemination controls according to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
Federal Contract Information (FCI) is the information provided by or generated for the Government under the contract that has not or will not be publicly released (within a reasonable period). The protection requirements of the FCI are laid down in the Federal Acquisition Regulation (FAR)
The information above outlines the basics of CMMC 2.0. We will be covering every aspect of CMMC 2.0 in our upcoming blogs. Sign up for our newsletter to stay up-to-date on CMMC.
InterSec Inc., a minority-owned Virginia corporation founded in 2013, is a one-stop cybersecurity service provider to small and medium-sized businesses. We bring thought leadership, industry best practices, subject matter experts (SMEs) with cybersecurity domain expertise, defense-in-depth, and deep technology experience in supporting customer-centric custom solutions and services.
We are a CMMI Level 3, ISO 9001, and ISO 27001 appraised organization and committed to continually improving our processes and practices.
InterSec is an active member of various industry groups such as (ISC)2 NoVA, ISSA, ISACA DC, OWASP NoVA, Reston Chamber of Commerce, and NVTC and is equipped with the required expertise to provide a full range of cybersecurity services, including program management, governance, CMMC Compliance, cybersecurity, and risk management to its Federal, State, and Commercial customers.