Welcome to our most comprehensive and updated guide on Cybersecurity Maturity Model Certification (CMMC) 2.0!
The CMMC is a program spearheaded by the U.S. Department of Defense (DoD) aimed at safeguarding Controlled Unclassified Information (CUI) by ensuring that organizations have the necessary cybersecurity measures in place to prevent unauthorized access, usage, or dissemination of sensitive data.
The latest iteration, CMMC 2.0, brings forth a tiered system spanning levels from 1(Basic Cybersecurity Hygiene) to 3 (Advanced/Progressive), helping entities to categorize and manage cybersecurity with a perspective aligned to their risk management strategies and business needs.
As we navigate through a landscape where cyber threats are constantly evolving and getting sophisticated, being CMMC compliant not only stands central to securing an organization’s assets and data but is also pivotal in fostering credibility and gaining a competitive edge in the marketplace.
In July 2023, the Department of Defense (DoD) formally presented the CMMC 2.0 rule to the Office of Information and Regulatory Affairs (OIRA), an agency overseen by the Office of Management and Budget (OMB). This submission initiated a systematic regulatory review process, laying the groundwork for the rule's official implementation.
On December 26, 2023, the Department of Defense published the Proposed CMMC Rule. The Proposed Rule represents a pivotal step in the cybersecurity of the Defense Industrial Base (DIB). With the Proposed CMMC Rule, DoD has made significant changes that will have long-term impacts on how CMMC2.0 requirements are implemented in the DIB Supply chain.
What does this mean for organizations in the defense sector? With the CMMC Proposed Rule, the DoD has set the clock in motion. There has already been a significant uptick in CMMC requirements in the solicitations since last year. The commenting period on the Proposed Rule has already closed on February 26, 2024. Now, CMMC can be published as a final rule anytime between now and Q1 2025. Owing to this the requirements in the solicitation will expand exponentially over the next few years.
Businesses, especially small enterprises, are encouraged to gear up for this change by understanding the CMMC level pertinent to them and initiating the necessary steps toward certification rather than waiting. It is vital to undertake this journey with foresight, factoring in the time, which can range anywhere from a few months to a couple of years depending on various dynamics, such as the complexity of your organization and the level of certification you are targeting.
As the final rule is anticipated to be in effect anytime between now and Q1 2025,with a phased rollout spanning three years, starting your preparations now will ensure a smooth transition, helping you to uphold the integrity of sensitive information while reaping the manifold benefits of CMMC compliance.
Thisguide will delve into these topics and more to provide you with a comprehensiveunderstanding of CMMC 2.0 and the importance of achieving compliance.
Engaging with professional CMMC consulting firms can aid in delineating a path that is in alignment with your budget and needs, helping you to navigate the complexities with ease.
CMMC being published as a Proposed Rule in Dec 2023,leads to a phased CMMC implementation. Industry insiders are closely watching the NIST's maneuvers, which have moved ahead with SP800-171 Revision 3. SP 800-171 Rev 3 is set to elevate cybersecurity controls further.
This revision, anticipated to materialize between Q1 and Q2 of F.Y. 2024, may provoke the DoD to grant a "class deviation." DoD’s class deviation provides DoD contracting officers (COs) a way to mitigate delays prospective offerors would experience when transitioning from NIST 800-171 Rev 2 to Rev 3.
In the context of regulatory and compliance environments, "class deviation" refers to a temporary alteration or adjustment to a policy, standard, or regulation that applies to a specific group or "class" of entities, effectively extending the compliance deadline to synchronize with CMMC's potential F.Y. 2025 implementation.
Given the active developments, firms are advised to advance their compliance with the existing NIST SP 800-171 standards to transition into the CMMC requirements smoothly. Initiating this now is prudent, considering the considerable time -typically a few months to 2 years - required to become assessment-ready.
Federal Contract Information (FCI): Information not intended for public release. It is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public.
Controlled Unclassified Information (CUI): Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
Exhibit 1: CMMC Rulemaking Timeline
Exhibit 2: The Federal Rulemaking Definition
The enforcement of CMMC by the Government showcases alignment with enhancing cybersecurity maturity in the defense supply chain ecosystem, reflecting a shift in national cybersecurity strategy.
In 2022, DoD released a memorandum that stated:
The protection of controlled unclassified information on contractor information systems is critically important to the Department of Defense (DoD). To that end, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012,"Safeguarding Covered Defense Information and Cyber Incident Reporting," requires contractors to provide adequate security on all covered contractor information systems, defined as an unclassified information system owned or operated by or for a contractor, and that processes, stores, or transmits covered defense information. Adequate security measures include, as applicable, implementation of the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (S.P.)800-171, "Protecting Controlled Unclassified Information in Non federal Information Systems and Organizations" in effect at the time the solicitation is issued or as authorized by the contracting officer.
Exhibit 3: CMMC Vs NIST AP 800-171 Comparision
CMMC compliance aims to assess defense contractors' capabilities, readiness, and sophistication in cybersecurity. The framework comprises processes and other frameworks and inputs from cybersecurity standards like NIST 800-53, ISO 27001,U.K. Cyber Essentials, and Australia Cyber Security Centre Essential Eight Maturity Model. The program is designed to help federal contractors improve their cybersecurity posture through a standardized maturity model.
CMMC, created to defend the defense industrial base (DIB) from increasingly frequent and sophisticated cyberattacks, specifically intends to improve the security of federal contract information (FCI) and controlled unclassified information (CUI)transferred within the DIB.
As threats change, CMMC 2.0 expands on the original CMMC 1.0 framework to dynamically improve DIB cybersecurity. The CMMC framework ensures accountability, safeguards critical unclassified information shared by the DoD, and reduces obstacles to compliance with DoD regulations. Three levels based on well-recognized NIST cybersecurity standards have replaced the five cybersecurity compliance levels in CMMC 1.0.
With the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0program, the Department is introducing several key changes that build on and refine the original program requirements.
Exhibit 4: CMMC 2.0 Streamlined Framework
Following is the outline of the CMMC 2.0 Model as published in December2023:
Exhibit 5: CMMC 2.0 Assessment Requirements
The Department of Defense (DoD) is systematically integrating the Cybersecurity Maturity Model Certification (CMMC) into defense contracts over four phases. This phased implementation facilitates defense contractors and subcontractors in transitioning to enhanced cybersecurity standards, ensuring gradual compliance with specific timelines and objectives.
The CMMC Proposed Rule introduces significant changes for defense contractors and subcontractors, mandating enhanced cybersecurity practices across various contracts and levels, including those involving cloud and external service providers. This regulation impacts how defense-related information is managed and protected.
The significance of CMMC connects back to the United States' national security. The Defense Industrial Base (DIB) is a global industrial compound to supports vital services and goods such as the design, manufacture, delivery, and maintenance of military weapons systems to satisfy the needs of the U.S. military.
The DIB supply chain comprises more than 300,000 businesses that work for the DoD under contract. Defense contractors must have their cybersecurity status inspected and confirmed by an impartial third party before signing a contract with the DoD. In addition to the complexity of what is at risk, studies show that the global cost of cybercrime is around $945 billion, which is more than 1% of the worldwide GDP. The Department of Defense is putting in maximum effort to reduce the costs and risks through CMMC.
Below are the reasons for complying with CMMC:
CMMC is a requirement for all companies who want to work as a contractor/subcontractor within the Defense Industrial Base supply chain.
Also, the proposed rule mandates that subcontractors throughout the supply chain comply with CMMC. The specific CMMC Level required for a subcontractor will align with the type of information they handle, which may differ from the prime contractor.
Exhibit 6: DoD Supply Chain
Hence, everyone involved in the defense contract supply chain, including contractors who work directly with the DoD and subcontractors who work with primes or other DoD Subcontractors to carry out or complete contracts, must abide by the CMMC.
In light of the unfolding developments in the Cybersecurity Maturity Model Certification (CMMC) landscape, the defense contracting sphere is entering a pivotal period where stringent adherence to the newly emphasized standards is not just recommended but becoming mandatory.
Exhibit 7: Prime Contactors' Reponsibilities
Prime contractors find themselves with heightened responsibilities as the Department of Defense (DoD) elevates its security requisites, impacting both the prime and their subcontractors significantly. Here is a detailed breakdown of the responsibilities and the anticipated shifts in the CMMC paradigm.
Exhibit 8: Sub-Contactors' Reponsibilities
The CMMC Ecosystem has several stakeholders. Some of the most important are shown in the image below:
Exhibit 9: The CMMC Ecosystem
In the defense industry, understanding and mitigating potential attack surfaces is imperative. As a Defense Contractor, being aware of these areas is vital:
Exhibit 10: Attack Surfaces in the Defense Supply Chain
The Road Ahead: Timeline and Expectations
While the official implementation of the new rule is anticipated to be either in mid to late 2024 or even early 2025, there is an undercurrent of urgency resonating in the sector, propagated mainly by the prime contractors. Besides that, a significant wave of conformity assessment requests is expected to flood C3PAOs, given the limited number of authorized bodies and qualified assessors to conduct the assessments. Defense Contractors should remain cautious amidst the growing overhype, steering clear from misinformation and focusing on achieving compliance in a structured manner. As the defense industrial base braces for the imminent CMMC tidal wave, it is incumbent upon businesses at every tier of the supply chain to foster a culture of readiness and vigilance. It is a critical juncture where preparation and early adoption of the CMMC norms can potentially delineate the leaders from the laggards in securing DoD contracts in the future. Thus, it is more prudent than ever for organizations to kickstart their journey toward CMMC certification, beginning with a robust NIST SP 800-171 implementation.
According to DoD, there are approximately 300,000 organizations that would require CMMC. There are about 80,000 organizations that require CMMC Level 2 and Level 3, and the rest require CMMC Level 1 compliance.
Most businesses will need certification between one of the three levels to qualify for government contracts. The Department of Defense is working with the CMMC Accreditation Body(Cyber-AB) to enforce the process, ensuring the validity and certifying independent third-party assessment organizations (C3PAOs).
The level necessary depends on whether the company is dealing with CUI or FCI. FCI would require the company to complete Level 1, and dealing with CUI would require the company to have achieved Level 2.
NIST 800-171 requirements have already started appearing in solicitations. Since CMMC compliance is a long journey, currently, DoD allows you to bid on contracts.
However, in the future, the Government will only allow companies to bid on the contract if they are CMMC-certified.
In anticipation of the final CMMC rule, DIBCAC the DoD's ultimate authority on compliance—has increased its audit staff size in response to the pressing need to improve security in the Defense Industrial Base.
Since CMMC Compliance is a long process, the earlier the company begins, the greater advantage it will have before it becomes law. Obtaining CMMC certification is a comprehensive process that hinges on the following:
Based on our NIST 800-171 and CMMC compliance preparatory services, below is a general timeframe to become assessment-ready that OSCs need to be aware of:
Exhibit 11: CMMC Assessment Readiness Timeline
The following provides a general breakdown of the different stages and their anticipated timelines:
Exhibit 12: CMMC Compliance Stages and Timelines
These timelines are estimations and can vary depending on individual circumstances. Considering the lengthy nature of this process, it is recommended to initiate preparations as soon as possible and stay updated with the latest guidance from the DoD and the Cyber-AB.
Leveraging the impending enforcement of CMMC, organizations must urgently engage in this process not only to comply with regulatory norms but also to enhance their chances of securing contracts and fostering robust cybersecurity grounded in NIST SP 800-171 and CMMC protocols.
The endeavor will address the critically low implementation rates of NIST SP 800-171, positioning companies more favorably in the competitive landscape once CMMC compliance becomes a legal requirement.
The journey to CMMC certification is a long one. The company usually begins by identifying where to start and what level they want to achieve. Your company can begin the journey to CMMC certification by familiarizing itself with the CMMC 2.0 framework. It is important to have background knowledge and know all things CMMC to understand the journey's significance.
Exhibit 13: CMMC Compliance Journey
Here is what the journey to CMMC Compliance looks like:
Small businesses, including those classified as Organization Seeking Certification (OSC) in the defense industrial base, often find themselves grappling with numerous challenges when navigating the path to CMMC compliance.
Exhibit 14: Challenges faced by small businesses to comply with CMMC
The CMMC assessment costs will depend upon several factors, including which CMMC level your company is achieving and the complexity of the DIB company's unclassified network for the certification boundary.
CMMC assessment expenses are predicted to be lower compared to CMMC 1.0 because the Department of Defense has intended to centralize the requirements at all levels instead of unique practices/processes, allowing organizations achieving Level 1 and some Level 2 programs to proceed with self-assessments instead of third-party assessments and strengthen the third-party evaluations.
DoD will release a new cost estimate associated with the CMMC 2.0 program, which will be published on the Federal Register as part of the rulemaking process. It is essential to note that the costs for implementing cybersecurity controls arise from the requirement to comply with and safeguard information, defined in FAR 52.204-21 and DFARS 252.204-7012.
Exhibit 16: Sample CMMC Cost Estimate
Here are the cost considerations to keep in mind for CMMC compliance for your company. Get expert insights on how to minimize these costs to obtain and maintain your CMMC certification.
Exhibit 17: CMMC Cost Drivers
The DoDI 5000.79 "Defense-Wide Sharing of Supplier Performance Information (P.I.)," published on October 15, 2019, established policy and assigned responsibilities for managing the defense-wide collection and sharing of performance information on suppliers, products, and services.
DoD Supplier Performance Risk System (SPRS) is a procurement risk analysis tool for Price, Item, and Supplier risk. The Price Risk tool compares industry prices to the average price paid by the Government. The Item Risk tool flags items identified as high risk (based on critical safety/application or risk of counterfeiting). The Supplier Risk tool scores vendors on DoD-wide contract performance.
SPRS supports DoD Acquisition Professionals with meeting acquisition regulatory and policy requirements by providing the following:
SPRS provides storage and access to the NIST SP 800-171 assessment scoring information. The NIST SP 800-171 Assessments module contains the assessment date, score, scope, and plan of the action completion date, Included Commercial and Government Entity (CAGE) code(s), System Security Plan (SSP) name, SSP version, SSP date, and confidence level.
Exhibit 18: SPRS Data Flow
The NIST SP 800-171 Basic Assessment cannot be performed in SPRS; SPRS only stores the results of NIST SP 800-171 Assessments.
An "SPRS Cyber Vendor User" role is required for companies to enter/edit basic self-assessment information. One may be created if a record header for the Highest-Level Owner (HLO) does not exist. Once the HLO header has been created, assessments for CAGE codes that fall within the HLO hierarchy may be added.
All DIBs, regardless of CMMC 2.0 Level, must upload their SPRS score into the DoD SPRS system.
The Department of Defense (DoD) will permit the limited use of POA&Ms (Plan of Action and Milestones) for companies who still need to meet all the security controls at the time of award of defense contracts under CMMC 2.0.
For CMMC Level 1, the DoD prohibits the use of Plans of Action & Milestones (POA&Ms), requiring contractors to validate their compliance directly in the Supplier Performance Risk System (SPRS) to affirm their ongoing commitment to FCI protection.
Also, POA&Ms will not be allowed for the most critical security requirements, which are the most difficult to meet (The DoD uses a self-assessment method that assigns a weight of 1, 3, or 5 points to each of the 110 controls in NIST SP 800-171. The scoring starts at a maximum of 110, and points are subtracted for each control yet to be implemented. As most controls are worth more than one point, the self-assessment scores can be negative and range from -203 to +110.
Although final information has yet to be released, Stacy Bostjanick, the director of the CMMC program for the DoD, stated in June 2022 that POA&Ms will be allowed for controls weighted at 1 or 3 points but not for controls weighted at 5 points.
The DoD also plans to set a minimum score that must be achieved when using POA&Ms for CMMC certification, and POA&Ms will have a time limit, which will be strictly enforced. The time limit has yet to be decided, but it is considered 180 days. It has yet to be discovered when the 180-day POA&M clock will start, but it is likely to be upon the award of a contract, either by DoD to a prime contractor or by a contractor to a subcontractor.
The proposed rule allows DoD Program Managers to seek approval to waive CMMC requirements in certain circumstances. However, the details of this process still need to be fully outlined.
These waivers may only be granted for specific mission-critical contracts and require a detailed justification package, including a plan for risk mitigation and a timeline for meeting CMMC requirements. Approval for waivers will come from high-level DoD leadership and apply to the entire CMMC requirement, not just individual controls. More information on waivers will be established during the rulemaking process.
The proposed rule requires subcontractors at all levels of the supply chain to adhere to CMMC standards. If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor. The particular CMMC Level necessary for each subcontractor will correspond to the nature of the information they process, which might vary from that of the main contractor.
Suppose a DIB company does not process, store, or transmit CUI on its unclassified network but does process, store, or handle FCI. In that case, it must comply with CMMC Level 1 at a minimum.
The DoD will have access to your assessment details, including results and the final report, once CMMC 2.0 is fully operational, storing this data in the SPRS and eMASS databases.
CMMC assessments aim to ensure systems handling DoD CUI meet the security requirements outlined in specific FAR and DFARS clauses, including adhering to the "adequate security" standard of NIST SP 800-171. If full CMMC deployment compromises system functionality, the concerned system should not be used to process, store, or transmit DoD CUI, as it fails to satisfy the necessary security prerequisites to safeguard such information.
Alternatively, Contractors may go for an Enclaved approach to CMMC Compliance, which restricts the scope of compliance to a much smaller subset.
In the context of the CMMC framework, a CMMC Enclave refers to a controlled and secure computing environment within a defense contractor's network specifically designed to handle Controlled Unclassified Information (CUI). By creating these CUI enclaves, sensitive data and operations are segmented from the rest of the organization's network, offering an elevated level of security.
Exhibit 19: The CMMC Enclave Approach
Achieving compliance with the Cybersecurity Maturity Model Certification (CMMC) can be challenging for DIB Contractors. However, by working with a Registered Provider Organization (RPO), contractors can gain access to the guidance, expertise, and resources necessary to successfully navigate the requirements and best practices for each maturity level. Here are a few of the benefits of working with Intersec:
We provide CMMC Consulting, Gap Assessment, Implementation, and Compliance support and provide CMMC Enclaves resulting in rapid and cost-effective compliance for Small and Medium businesses. We demonstrate rapid CUI scoping capabilities to begin your CMMC compliance journey.
We have expertise in technical remediation and provide audits for your company. We are a dedicated team of professionals to help your company meet your CMMC needs through cost-effective solutions.
Our bespoke solutions and services save your company valuable time, resources, and money in achieving CMMC compliance.
Partnering with an RPO like InterSec can significantly increase a DIB Contractor's chances of quickly achieving and maintaining CMMC compliance. InterSec, a Cyber-AB RPO, has years of experience helping Federal Contractors navigate complex compliance requirements. As a Cybersecurity organization, we provide end-to-end CMMC Compliance consulting.