Welcome to our most comprehensive guide on CMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) is a program implemented by the U.S. Department of Defense (DoD) to ensure that organizations handling controlled unclassified information (CUI) have appropriate cybersecurity controls in place to protect sensitive information from unauthorized access, use, or disclosure. CMMC 2.0 introduces a tiered system of levels, ranging from Level 1 (Basic Cybersecurity Hygiene) to Level 3 (Advanced/Progressive).
However, small businesses may face challenges in complying with CMMC, including limited resources and a lack of understanding of the process. The journey toward CMMC certification can take anywhere from a month to 2 years, depending on your organization's complexity, locations, current cybersecurity posture and the level of certification you are seeking. The cost of CMMC compliance can vary, but it is important to carefully consider your budget and work with a professional consulting firm to find a solution that fits your needs.
This guide will delve into these topics and more to provide you with a comprehensive understanding of CMMC 2.0 and the importance of achieving compliance. Here is the list of topics covered:
But why is CMMC compliance important? As cyber threats evolve and become more sophisticated, organizations must prioritize cybersecurity to protect their assets and data. CMMC compliance will soon be a requirement for DoD contractors, with requirements appearing in solicitations starting by Fall 2023. If your organization handles CUI for the DoD, it is important to understand which CMMC level you need and begin the journey toward certification. There are many benefits to achieving CMMC compliance, including increased credibility and competitiveness in the market, improved cybersecurity posture, and protection of sensitive information.
The Department of Defense (DoD) mandated in early 2018 that all organizations exchanging CUI enforce the 110 security controls listed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171): Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
However, despite the existence of this regulation, CUI leakage persisted, endangering American national security
The core reason why NIST 800-171 compliance was insufficient is because it relied on self-assessments.
But why was it problematic? Here are a few reasons:
To overcome the shortcoming in NIST 800-171 compliance enforcement, and the need to continually defend the vast attack surface of the Defense Industrial Base (DIB), DoD released a tiered system of Cybersecurity Maturity Framework in 2020.
In 2015, the National Institute of Standards and Technology (NIST) released Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
Subsequently, the Department of Defense (DoD) issued contract clause 252.204-7012 to enforce compliance by the Defense Industrial Base (DIB) with the NIST 800-171 control requirements. The DIB was required to self-attest their compliance with NIST SP 800-171's 110 controls by late 2017.
Despite the implementation of regulations aimed at preventing it, the continued occurrence of CUI (Confidential Unclassified Information) breaches remains a threat to national security in the United States.
This regulation was insufficient because NIST 800-171 relied on self-assessments. This was problematic because of the complexity of cybersecurity controls, improper implementation, and subjective self-assessment, and in some cases, some companies just checked the box without knowing anything about the compliance requirement. The lack of rigor in the enforcement of NIST 800-171 compliance caused the DIB to continue to be vulnerable to cyber threats including APTs (Advanced Persistent Threats).
In 2020, the DoD released its Cybersecurity Maturity Model Certification (CMMC) 1.1 framework that mandated in early 2020 that all organizations exchanging CUI implement the 110 security controls listed in NIST SP 800-171 to safeguard the CUI.
CMMC addresses requirements for the protection of FCI and CUI data:
2021-Present
The CMMC program's original form was criticized for its complexity and anticipated certification costs. Driven by feedback across the industry, CMMC has since been reworked into a hybrid certification model. This new version, referred to as CMMC 2.0, was announced on November 4, 2021. The changes are intended to reduce barriers to compliance for small and mid-sized firms while maintaining the goal of protecting the Defense Industrial Base from cyber-attacks. CMMC 2.0 focuses on the most critical requirements and streamlines the model from 5 to 3 compliance levels.
In 2022, DoD released a memorandum that stated:
The protection of controlled unclassified information on contractor information systems is critically important to the Department of Defense (DoD). To that end, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," requires contractors to provide adequate security on all covered contractor information systems, defined as an unclassified information system owned or operated by or for a contractor, and that processes, stores, or transmits covered defense information. Adequate security measures include, as applicable, implementation of the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” in effect at the time the solicitation is issued or as authorized by the contracting officer.
In March, 2023, DoD is on pace to release a new DFARS Interim Rule that will codify CMMC into law via the DFARS 7021 clause. Once released, the Rule will allow CMMC requirements to appear in contracts.
In May, 2023, DoD expects to include CMMC certification requirements in new DoD contracts. CMMC requirements will apply to prime contractors and all subcontractors throughout their supply chain.
CMMC was created to defend the defense industrial base (DIB) from increasingly frequent and sophisticated cyberattacks. It specifically intends to improve the security of federal contract information (FCI) and controlled unclassified information (CUI) transferred within the DIB.
CMMC compliance aims to assess defense contractors' capabilities, readiness, and sophistication in cybersecurity. The framework comprises processes and other frameworks and inputs from cybersecurity standards like NIST 800-53, ISO 27001, UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model .The program is designed to help federal contractors improve their cybersecurity posture through a standardized maturity model.
As threats change, CMMC 2.0 expands on the original CMMC 1.0 framework to dynamically improve DIB cybersecurity. The CMMC framework ensures accountability, safeguards critical unclassified information shared by the DoD, and reduces obstacles to compliance with DoD regulations.
Three levels based on well-recognized NIST cybersecurity standards has replaced the five cybersecurity compliance levels in CMMC 1.0.
With the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, the Department is introducing several key changes that build on and refine the original program requirements.
The CMMC 2.0 framework has three levels:
The significance of CMMC connects back to the United States national security. The Defense Industrial Base (DIB) is a global industrial compound to support vital services and goods such as the design, manufacture, delivery, and maintenance of military weapons systems to satisfy the needs of the U.S. military. The DIB supply chain comprises more than 300,000 businesses that work for the DoD under contract. Defense contractors must have their cybersecurity status inspected and confirmed by an impartial third party before signing a contract with the DoD. In addition to the complexity of what is at risk, studies show that the global cost of cybercrime is around $945 billion, which is more than 1% of the global GDP. The Department of Defense is putting in maximum effort to reduce the costs and risks through CMMC.
Below are the benefits of complying with CMMC:
The CMMC Ecosystem has several stakeholders. Some of the most important are shown in the image below:
CMMC is a requirement for all companies who want to work as a contractor with the Defense Industrial Base. Everyone involved in the defense contract supply chain, including contractors that work directly with the DoD and subcontractors who work with primes to carry out or complete contracts, must abide by the CMMC.
To qualify for government contracts, most businesses will need certification between one of the three levels. The Department of Defense is working with the CMMC Accreditation Body (Cyber-AB) to enforce the process, ensuring the validity and certifying independent third-party assessment organizations (C3PAOs).
The level necessary depends on whether the company is dealing with CUI or FCI. FCI would require the company to complete Level 1 and dealing with CUI would require the company to have achieved Level 2.
It is predicted that in the Department of Defense's timeline, CMMC requirements could appear in solicitations in May of 2023.
Currently, CMMC compliance is a soft requirement, but it is anticipated that it will become law by May 2023. Since CMMC compliance is a long journey, currently, they allow you to bid on contracts. However, in the future, the government will not allow companies to bid on the contract unless they are CMMC certified.
Based on our NIST 800-171 and CMMC compliance preparatory services, below is a general timeframe that OSCs need to be aware of:
Since it is such a long process, the earlier the company begins, the greater advantage it will have before CMMC compliance becomes law.
The journey to CMMC certification is a long one. The company usually begins by identifying where to begin and what level they want to achieve. Your company can begin the journey to CMMC certification by familiarizing itself with the CMMC 2.0 framework. It is important to have background knowledge and know all things CMMC to understand the journey's significance.
Here is what the journey to CMMC Compliance looks like:
Below image show assessment requirements under CMMC 2.0
CMMC Level 1(Foundational): This Foundational level focuses on the protection of Federal Contract Information (FCI). Level 1 companies are required to self-assess and attest annually.
CMMC Level 2 (Advanced): This Advanced level focuses on the protection of Controlled Unclassified Information (CUI). Level 2 companies are required to undergo a triennial assessment by a C3PAO.
CMMC Level 3 (Expert): This Expert level focuses on the protection of CUI for DoD's highest priority programs Level 3 companies are required to do triennial government-led assessments.
Based on our past NIST 800-171 and CMMC compliance engagements with our customers, we observed that the following controls were typically difficult to implement and sustain operationally.
Around November of 2022, DIBCAC Director for the Defense Contract Management Agency (DCMA), Nick DelRosso, provided insights into the Top 10 controls often determined to be Other Than Satisfied (OTS) during DIBCAC assessments of DIB organizations.
The DoDI 5000.79 "Defense-Wide Sharing of Supplier Performance Information (PI)," published on October 15, 2019, established policy and assigned responsibilities for managing the defense-wide collection and sharing of performance information on suppliers, products, and services.
DoD Supplier Performance Risk System (SPRS) is a procurement risk analysis tool for Price, Item, and Supplier risk. The Price Risk tool compares industry prices to the average price paid by the government. The Item Risk tool flags items identified as high risk (based on critical safety/application or risk of counterfeiting). The Supplier Risk tool scores vendors on DoD-wide contract performance.
SPRS supports DoD Acquisition Professionals with meeting acquisition regulatory and policy requirements by providing the following:
SPRS provides storage and access to the NIST SP 800-171 assessment scoring information. The NIST SP 800-171 Assessments module contains the assessment date, score, scope, and plan of the action completion date, Included Commercial and Government Entity (CAGE) code(s), System Security Plan (SSP) name, SSP version, SSP date, and confidence level.
The NIST SP 800-171 Basic Assessment cannot be performed in SPRS; SPRS only stores the results of NIST SP 800-171 Assessments.
An "SPRS Cyber Vendor User" role is required for companies to enter/edit basic self-assessment information. One may be created if a record header for the Highest-Level Owner (HLO) does not exist. Once the HLO header has been created, assessments for CAGEs who fall within the HLO hierarchy may be added.
All DIBs, regardless of CMMC 2.0 Level, must upload their SPRS score, SSP, and POA&Ms into the DoD SPRS system.
The Department of Defense (DoD) will permit the use of POA&Ms (Plan of Action and Milestones) for companies who have not yet met all the security controls at the time of award of defense contracts under CMMC 2.0. However, POA&Ms will not be allowed for the most critical security requirements, which are the most difficult to meet. The DoD uses a self-assessment method that assigns a weight of 1, 3, or 5 points to each of the 110 controls in NIST SP 800-171. The scoring starts at a maximum of 110, and points are subtracted for each control not yet implemented. As most controls are worth more than one point, the self-assessment scores can be negative and range from -203 to +110.
Although final information has not yet been released, Stacy Bostjanick, the director of the CMMC program for the DoD, stated in June 2022 that POA&Ms will be allowed for controls weighted at 1 or 3 points but not for controls weighted at 5 points.
The DoD also plans to set a minimum score that must be achieved when using POA&Ms for CMMC certification, and POA&Ms will have a time limit, which will be strictly enforced. The time limit has not been decided yet, but it is considered 180 days. It is also not yet known when the 180-day POA&M clock will start, but it is likely to be upon the award of a contract, either by DoD to a prime contractor or by a contractor to a subcontractor.
To maintain flexibility and the ability to act quickly, the Department of Defense (DoD) will allow for limited waivers in the CMMC 2.0 program. These waivers will only be granted for certain mission-critical contracts and require a detailed justification package, including a plan for risk mitigation and a timeline for meeting CMMC requirements. Approval for waivers will come from high-level DoD leadership and apply to the entire CMMC requirement, not just individual controls. More information on waivers will be established during the rulemaking process.
The CMMC assessment costs will depend upon several factors, including which CMMC level your company is achieving and the complexity of the DIB company's unclassified network for the certification boundary.
DoD will release a new cost estimate associated with the CMMC 2.0 program, which will be published on the Federal Register as part of the rulemaking process.
It is essential to note that the costs for implementing cybersecurity controls arise from the requirement to comply with and safeguard information, defined in FAR 52.204-21 and DFARS 252.204-7012.
CMMC assessment expenses are predicted to be lower compared to CMMC 1.0 because the Department of Defense has intended to centralize the requirements at all levels instead of unique practices/processes, allowing organizations achieving Level 1 and some Level 2 programs to proceed with self-assessments instead of third-party assessments, and strengthen the third-party assessments.
According to DoD, there are approximately 300,000 organizations that would require CMMC. It's estimated that there are about 80,000 organizations that would require CMMC Level 2 and Level 3, and the rest would require CMMC Level 1 compliance.
Achieving compliance with the Cybersecurity Maturity Model Certification (CMMC) can be challenging for DIB Contractors. However, by working with a Registered Provider Organization (RPO), contractors can gain access to the guidance, expertise, and resources necessary to successfully navigate the requirements and best practices for each maturity level.
RPOs can assist with the assessment process, provide training and resources, and offer feedback and recommendations for improvement. Partnering with an RPO can significantly increase a DIB Contractor's chances of quickly achieving and maintaining CMMC compliance.
InterSec, a Cyber-AB RPO, has years of experience helping Federal Contractors navigate complex compliance requirements. As a Cybersecurity organization, we provide end-to-end CMMC Compliance consulting.
We provide a compliance-accelerated platform and rapid CUI scoping to begin your CMMC compliance journey. We have expertise in technical remediation and provide audits for your company. We are a dedicated team of professionals to help your company meet your CMMC needs through cost-effective solutions. Our bespoke solutions and services save your company valuable time, resources, and money in achieving CMMC compliance.