Your most updated guide to CMMC 2.0

What, how, and why

Welcome to our most comprehensive guide on CMMC 2.0! The Cybersecurity Maturity Model Certification (CMMC) is a program implemented by the U.S. Department of Defense (DoD) to ensure that organizations handling controlled unclassified information (CUI) have appropriate cybersecurity controls in place to protect sensitive information from unauthorized access, use, or disclosure. In addition, CMMC 2.0 introduces a tiered system of levels, ranging from Level 1 (Basic Cybersecurity Hygiene) to Level 3 (Advanced/Progressive).

But why is CMMC compliance important? As cyber threats evolve and become more sophisticated, organizations must prioritize cybersecurity to protect their assets and data. CMMC compliance will soon be a requirement for DoD contractors, with requirements appearing in solicitations starting by Fall 2023. If your organization handles CUI for the DoD, it is vital to understand which CMMC level you need and begin the journey toward certification.

There are many benefits to achieving CMMC compliance, including increased credibility and competitiveness in the market, improved cybersecurity posture, and protection of sensitive information. However, small businesses may face challenges in complying with CMMC, including limited resources and a lack of understanding of the process. The journey toward CMMC certification can take anywhere from several months to a year, depending on your organization's current cybersecurity posture and the level of certification you are seeking. The cost of CMMC compliance can vary, but it is essential to carefully consider your budget and work with a professional consulting firm to find a solution that fits your needs.

This guide will delve into these topics and more to provide you with a comprehensive understanding of CMMC 2.0 and the importance of achieving compliance. Here is the list of topics covered:

The origin of Cybersecurity Maturity Model Certification

The origin of Cybersecurity Maturity Model CertificationIn 2015, the National Institute of Standards and Technology (NIST) released Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Subsequently, the Department of Defense (DoD) issued contract clause 252.204-7012 to enforce compliance by the Defense Industrial Base (DIB) with the NIST 800-171 control requirements. The DIB was required to self-attest their compliance with NIST SP 800-171's 110 controls by late 2017.

In 2020, the DoD released its Cybersecurity Maturity Model Certification (CMMC) 1.1 framework that mandated in early 2020 that all organizations exchanging CUI enforce the 110 security controls listed in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to safeguard the controlled unclassified information (CUI) of defense.

However, despite the existence of this regulation, CUI leakage persisted, endangering American national security. One reason this regulation was insufficient is that NIST 800-171 relied on self-assessments. This was problematic for a few reasons. For example, the security controls are complex, and the organization implementing or assessing themselves can easily misunderstand all of the requirements and incorrectly value their assessments. In addition, self-assessments are usually not regularly and consistently performed at organizations, which decreases the reliability and validity of the self-assessment. Another example is that complying with NIST 800-171 does not necessarily mean that security is ensured at the company. Even if the organization satisfies a security control requirement, it does not address the strength and maturity utilized to fulfill the requirement.

To address this problem, the DoD released its Cybersecurity Maturity Model Certification (CMMC) 1.1 framework in early 2020. The DoD subsequently released a simplified CMMC framework 2.0 in 2021. In 2022, DoD released a memorandum that stated: 

The protection of controlled unclassified information on contractor information systems is critically important to the Department of Defense (DoD). To that end, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," requires contractors to provide adequate security on all covered contractor information systems, defined as an unclassified information system owned or operated by or for a contractor, and that processes, stores, or transmits covered defense information. Adequate security measures include, as applicable, implementation of the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations" in effect at the time the solicitation is issued or as authorized by the contracting officer.

More to come with CMMC

March 2023 DoD is on pace to release a new DFARS Interim Rule that will codify CMMC into law via the DFARS 7021 clause. Once released, the Rule will allow CMMC requirements to appear in contracts.

In May 2023, DoD expects to include CMMC certification requirements in new DoD contracts. CMMC requirements will apply to prime contractors and all subcontractors throughout their supply chain.

CMMC scope includes

CMMC is a cost-effective solution to prevent CUI leakage by verifying that companies follow the NIST SP 800-171 security controls. 

In addition to providing an accurate assessment of each company’s compliance status, CMMC also enables the DoD and other government agencies to issue corrective action plans (CAP) for those contractors that fail their audits. These CAPs allow companies to self-correct their deficiencies before losing access to classified information or being suspended from performing work on DoD contracts. As a result of CMMC’s security controls assessment, companies can now implement the appropriate corrective actions to protect CUI and prevent unauthorized disclosure.

What is CMMC 2.0?

CMMC was created to defend the defense industrial base (DIB) from increasingly frequent and sophisticated cyberattacks. It specifically intends to improve the security of federal contract information (FCI) and controlled unclassified information (CUI) transferred within the DIB.

The program is designed to help federal contractors improve their cybersecurity posture through a standardized maturity model.

The certification process involves conducting an assessment and submitting the results for evaluation by a third-party assessor. The process begins with a DIB-specific security assessment designed to identify gaps in the organization’s cybersecurity posture. This assessment provides evidence of an organization’s compliance with NIST Special Publication 800-171. The results are then evaluated by a third-party assessor, who will determine whether or not a contractor can become CMMC certified. The Cyber AB is the exclusive authorized non-governmental partner of the U.S. Department of Defense in setting up and managing the CMMC conformance regime. It is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC).

The system is designed to be flexible and scalable, allowing contractors to assess their cybersecurity maturity level by completing the assessment process at their own pace. Contractors can use the results of this assessment as a baseline for improvement, or they may simply choose to participate to receive certification without having to perform any additional work beyond submitting the results for evaluation. As threats change, CMMC 2.0 expands on the original CMMC 1.0 framework to dynamically improve DIB cybersecurity. The CMMC framework ensures accountability, safeguards critical unclassified information shared by the DoD, and reduces obstacles to compliance with DoD regulations. Three levels based on well-recognized NIST cybersecurity standards will replace the five cybersecurity compliance levels in CMMC 1.0. 

What are the CMMC 2.0 Levels?

The CMMC 2.0 framework has three levels:

  1. The first level is Foundational. This level focuses on the protection of FCI, which is Federal Contract Information. Federal Contract Information is generated for a contract and is not intended to be accessible to the public. Level 1 tests the basic cyber hygiene of the company.
  2. The second level is Advanced. This level focuses on protecting CUI, which is Controlled Unclassified Information. It aligns with security controls developed by the National Institute of Technology and Standards (NIST).
  3. The third level is the Expert level. This level is focused on the Department of Defense’s highest priority programs and works on reducing risks from Advanced Persistent Threats (APTs). An organization must have processes in place to detect and respond to advanced persistent threats (APTs), including having the ability to monitor, scan, and process data forensics. An organization should also have a process to detect and respond to changing tactics, techniques, and procedures (TTPs) of APTs.

How many practices and controls does CMMC have?

  1. Level 1 (Performed: 15 practices). To protect Federal Contract Information, a company must follow fundamental cyber hygiene procedures, like requiring employees to change passwords frequently. This level includes an annual self-assessment and an annual affirmation.
  2. Level 2 (Managed:110 practices). To protect CUI, a company needs to have an institutionalized management strategy that includes all the NIST 800-171 r2 security requirements and procedures. This level contains a triennial third-party assessment and an annual affirmation.
  3. Level 3 (Optimizing:110+ practices). A company needs to implement standardized, optimized processes as well as extra, improved practices that can identify and react to evolving advanced persistent threats' (APTs). This level includes a triennial government-led assessment and an annual affirmation.

With the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, the Department is introducing several key changes that build on and refine the original program requirements. These are:

Streamlined Model
  • Focused on most critical requirements: Streamlines the model from 5 to 3 compliance levels
  • Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) Cybersecurity standards
Reliable Assessments
  • Reduced Assessment costs: Allow all companies at Level 1, and a subset of companies at Level 2, to demonstrate compliance through self-assessments
  • Higher Accountability: Increases oversight of professional and ethical standards of third-party assessors
Flexible Implementation
  • Spirit of collaboration: Allow companies, under certain limited circumstances, to make Plans and Action & Milestones (POA&Ms) to achieve certification
  • Added flexibility and speed: Allows the Government to waive inclusion of CMMC requirements under certain limited circumstances

Why is CMMC compliance important?

CMMC compliance is important because there is highly sensitive national information at risk, and the government requires contractors to practice set standards and regulations in order to strengthen the security with which the information is dealt. Specifically, if the company is dealing with controlled unclassified information (CUI) or federal contract information (FCI), the company is required to have CMMC compliance in order to protect the information. CMMC ensures that companies working with the Department of Defense are meeting the set security protocols and standards.

The significance of CMMC connects back to the national security of the United States. The Defense Industrial Base (DIB) is a global industrial compound with the goal of supporting vital services and goods such as the design, manufacture, delivery, and maintenance of military weapons systems in order to satisfy the needs of the U.S. military. The DIB supply chain is made up of more than 300,000 businesses that work for the DoD under contract. Defense contractors must have their cybersecurity status inspected and confirmed by an impartial third party before signing a contract with the DoD. In addition to the complexity of what is at risk, studies show that the estimated global cost of cybercrime is around$945 billion, which is more than 1% of the global GDP. The Department of Defense is putting in maximum effort to reduce the costs and risks through CMMC.

When will CMMC requirements start appearing in solicitations?

It is predicted that in the Department of Defense’s timeline, CMMC requirements could appear in solicitations in May of 2023. Currently, CMMC compliance is a soft requirement; however, it will be law next year. Since CMMC compliance is a long journey, they allow you to bid on contracts presently; however, next year, the government will not allow companies to bid on contracts unless they are CMMC certified.

To whom does CMMC apply?

CMMC is a requirement for all companies who want to work as a contractor with the Defense Industrial Base. Everyone involved in the defense contract supply chain, including contractors that work directly with the DoD and subcontractors who work with primes to carry out or complete contracts, must abide by the CMMC.

According to DoD, there are approximately 300,000 organizations that would require CMMC. It's estimated that there are about 80,000 organizations that would require CMMC Level 2 and Level 3, and the rest would require CMMC Level 1 compliance. Most businesses need certification between one of the three levels to qualify for government contracts. The Department of Defense is working with the CMMC Accreditation Body (Cyber-AB) to enforce the process, ensuring the validity and certifying independent third-party assessment organizations (C3PAOs). These third-party assessors will also evaluate and verify the CMMC certification process and assess compliance with quality management systems. Assessors are expected to be neutral, independent third parties who can conduct assessments per CMMC standards and requirements.

What CMMC level do I need?

The level necessary depends on whether the company is dealing with CUI or FCI. FCI would require the company to complete level 1, and dealing with CUI would require the company to have achieved level 2.

What are the benefits of CMMC Compliance?

There are many benefits of CMMC compliance. Your company will gain cybersecurity resilience and be better prepared for security threats. This would give the company the advantage of better protecting its assets and data. The company would be able to build on proposals with the government, and they would have the edge against competitors. Having CMMC compliance for your company will make your company more reliable as you declare that the company takes all necessary security measures and is better equipped for dealing with sensitive information compared to other companies.

What are the challenges faced by small businesses to comply with CMMC?

One of the challenges would be costs since the CMMC is a pricey journey. Depending on the levels and the information dealt with, the price varies; however, it increases as you choose to achieve more levels, which may be out of a small business's budget. Most small businesses also do not know where or how to begin their journey. It would be best for the small company to hire external vendors to help them gain more knowledge and proceed on the right track. In addition, small businesses have little to no staff, and without experts on the topic, it would be difficult for the business to figure out how to comply with CMMC.

How long does it take to get CMMC certified?

The Department of Defense estimates that it takes 9 to 24 months to become CMMC certified. The first level would take between 1 to 3 months, the second level would take between 6 to 18 months, and the third level would take between 9 to 23 months. Since it is such a long process, the earlier the company begins, the greater advantage it will have before CMMC compliance becomes law in the next year.

What does the journey to CMMC certification look like?

The journey to CMMC certification is a long one. The company usually begins by identifying where to begin and what level they want to achieve. Your company can begin the journey to CMMC certification by familiarizing itself with the CMMC 2.0 framework. It is important to have the background knowledge and know all things CMMC to understand the significance of the journey to proceed with. The journey to CMMC certification can look like this:

Ask an Expert
  • It is important to identify external partners who are dedicated to making your company CMMC certified in an efficient manner in order to accelerate the process of your company. Registered Provider Organizations (RPOs) can help guide you throughout your journey, which can be both time and cost-effective.
Create a CMMC Team
  • Within your organization, it is important to establish a team of resourceful individuals who can explicitly focus on the CMMC's progress. These employees should be knowledgeable on the topic and able to give their time and effort to help your company become successfully CMMC certified.
Identify the Level
  • When beginning the CMMC journey, you must identify which CMMC level your company wants to achieve. This depends on which contracts and projects your company wants to work on now and in the future.
Scope the Environment
  • Once the level is clarified, your organization will need to scope your compliance boundary. This means that there needs to be an in-depth investigation of who in the organization deals with CUI or FCI, which devices process it, and what organizational actions are related to it.
Gap Analysis and Remediation
  • Your company will need to perform a gap analysis. This means investigating and understanding the current state of the company and identifying the gaps that the company is missing to meet all of the requirements for CMMC. If your company is already NIST compliant, it can put your company's status ahead. After gap analysis, there is remediation. Remediation is addressing the issues and gaps that arose in the analysis and working on fixing and patching up the problems.
Choose C3PAO and Get Certified!
  • For CMMC Level 1, a senior official at the organization must self-attest by signing the System Security Plan. The organization also needs to upload SPRS (Supplier Performance Risk System) score to the DoD SPRS system.
  • For CMMC Level 2, an organization needs to find a C3PAO, a CMMC Third-Party Assessment Organization, and undergo an audit.
  • For CMMC Level 3, an organization needs to undergo Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) audit.

How much does CMMC Compliance Cost?

The CMMC assessment costs will depend upon several factors, including which CMMC level your company is achieving and the complexity of the DIB company's unclassified network for the certification boundary. DoD will release a new cost estimate associated with the CMMC 2.0 program, which will be published on the Federal Register as part of the rulemaking process. It is essential to note that the costs for implementing cybersecurity controls arise from the requirement to comply with and safeguard information, which is defined in FAR 52.204-21, and DFARS 252.204-7012.

CMMC assessment expenses are predicted to be lower compared to CMMC 1.0 because the Department of Defense has intended to: centralize the requirements at all levels instead of unique practices/processes, allowing organizations achieving Level 1 and some Level 2 programs to proceed with self-assessments instead of third-party assessments, and strengthen the third-party assessments.

How can InterSec help?

InterSec has been helping organizations become CMMC certified for the past 8 years. As a DIB organization with years of experience, we provide compliance assessments and support your organization's journey and guidance toward CMMC compliance.

We provide a compliance-accelerated platform and rapid CUI scoping to begin your CMMC compliance journey. We have expertise in technical remediation and provide audits for your company as well. We are a dedicated team of professionals to help your company meet your CMMC needs through cost-effective solutions. Our bespoke solutions and services save your company valuable time, resources, and money in achieving CMMC compliance.