US Department of defense

A Federal Contractor’s Guide to CMMC 2.0

Comprehensive and Updated Guide (Feb 2023)

Synopsis

Welcome to our most comprehensive guide on CMMC 2.0

The Cybersecurity Maturity Model Certification (CMMC) is a program implemented by the U.S. Department of Defense (DoD) to ensure that organizations handling controlled unclassified information (CUI) have appropriate cybersecurity controls in place to protect sensitive information from unauthorized access, use, or disclosure. CMMC 2.0 introduces a tiered system of levels, ranging from Level 1 (Basic Cybersecurity Hygiene) to Level 3 (Advanced/Progressive).

However, small businesses may face challenges in complying with CMMC, including limited resources and a lack of understanding of the process. The journey toward CMMC certification can take anywhere from a month to 2 years, depending on your organization's complexity, locations, current cybersecurity posture and the level of certification you are seeking.  The cost of CMMC compliance can vary, but it is important to carefully consider your budget and work with a professional consulting firm to find a solution that fits your needs.

Get ready to achieve CMMC compliance with ease! Download this CMMC guide as a PDF now and stay ahead in the game.
Download  CMMC 2.0 Guide
CMMC 2.0 Guide

This guide will delve into these topics and more to provide you with a comprehensive understanding of CMMC 2.0 and the importance of achieving compliance. Here is the list of topics covered:

But why is CMMC compliance important? As cyber threats evolve and become more sophisticated, organizations must prioritize cybersecurity to protect their assets and data. CMMC compliance will soon be a requirement for DoD contractors, with requirements appearing in solicitations starting by Fall 2023. If your organization handles CUI for the DoD, it is important to understand which CMMC level you need and begin the journey toward certification. There are many benefits to achieving CMMC compliance, including increased credibility and competitiveness in the market, improved cybersecurity posture, and protection of sensitive information.

Background and Context of CMMC

What is NIST 800-171?

The Department of Defense (DoD) mandated in early 2018 that all organizations exchanging CUI enforce the 110 security controls listed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171): Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

However, despite the existence of this regulation, CUI leakage persisted, endangering American national security

Why did NIST 800-171 fall short?

The core reason why NIST 800-171 compliance was insufficient is because it relied on self-assessments.

But why was it problematic? Here are a few reasons:

To overcome the shortcoming in NIST 800-171 compliance enforcement, and the need to continually defend the vast attack surface of the Defense Industrial Base (DIB), DoD released a tiered system of Cybersecurity Maturity Framework in 2020.

How did CMMC evolve?

2015-2020

In 2015, the National Institute of Standards and Technology (NIST) released Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Subsequently, the Department of Defense (DoD) issued contract clause 252.204-7012 to enforce compliance by the Defense Industrial Base (DIB) with the NIST 800-171 control requirements. The DIB was required to self-attest their compliance with NIST SP 800-171's 110 controls by late 2017.

Despite the implementation of regulations aimed at preventing it, the continued occurrence of CUI (Confidential Unclassified Information) breaches remains a threat to national security in the United States.

This regulation was insufficient because NIST 800-171 relied on self-assessments. This was problematic because of the complexity of cybersecurity controls, improper implementation, and subjective self-assessment, and in some cases, some companies just checked the box without knowing anything about the compliance requirement. The lack of rigor in the enforcement of NIST 800-171 compliance caused the DIB to continue to be vulnerable to cyber threats including APTs (Advanced Persistent Threats).

In 2020, the DoD released its Cybersecurity Maturity Model Certification (CMMC) 1.1 framework that mandated in early 2020 that all organizations exchanging CUI implement the 110 security controls listed in NIST SP 800-171 to safeguard the CUI.

CMMC addresses requirements for the protection of FCI and CUI data:

CMMC Evolution Timeline

2021-Present

The CMMC program's original form was criticized for its complexity and anticipated certification costs. Driven by feedback across the industry, CMMC has since been reworked into a hybrid certification model. This new version, referred to as CMMC 2.0, was announced on November 4, 2021. The changes are intended to reduce barriers to compliance for small and mid-sized firms while maintaining the goal of protecting the Defense Industrial Base from cyber-attacks. CMMC 2.0 focuses on the most critical requirements and streamlines the model from 5 to 3 compliance levels.

In 2022, DoD released a memorandum that stated:

The protection of controlled unclassified information on contractor information systems is critically important to the Department of Defense (DoD). To that end, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," requires contractors to provide adequate security on all covered contractor information systems, defined as an unclassified information system owned or operated by or for a contractor, and that processes, stores, or transmits covered defense information. Adequate security measures include, as applicable, implementation of the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” in effect at the time the solicitation is issued or as authorized by the contracting officer.

More to come on CMMC

In March, 2023, DoD is on pace to release a new DFARS Interim Rule that will codify CMMC into law via the DFARS 7021 clause. Once released, the Rule will allow CMMC requirements to appear in contracts.

In May, 2023, DoD expects to include CMMC certification requirements in new DoD contracts. CMMC requirements will apply to prime contractors and all subcontractors throughout their supply chain.  

Cybersecurity Maturity Model Certification 2.0 Framework

CMMC was created to defend the defense industrial base (DIB) from increasingly frequent and sophisticated cyberattacks. It specifically intends to improve the security of federal contract information (FCI) and controlled unclassified information (CUI) transferred within the DIB.  

CMMC compliance aims to assess defense contractors' capabilities, readiness, and sophistication in cybersecurity. The framework comprises processes and other frameworks and inputs from cybersecurity standards like NIST 800-53, ISO 27001, UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model .The program is designed to help federal contractors improve their cybersecurity posture through a standardized maturity model.

As threats change, CMMC 2.0 expands on the original CMMC 1.0 framework to dynamically improve DIB cybersecurity. The CMMC framework ensures accountability, safeguards critical unclassified information shared by the DoD, and reduces obstacles to compliance with DoD regulations.

Three levels based on well-recognized NIST cybersecurity standards has replaced the five cybersecurity compliance levels in CMMC 1.0.  

Key Changes to CMMC 2.0

With the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, the Department is introducing several key changes that build on and refine the original program requirements.

Key Changes to CMMC 2.0

What are the CMMC 2.0 Levels?  

The CMMC 2.0 framework has three levels:

  1. The first level is Foundational. This level focuses on the protection of FCI, which is Federal Contract Information. Federal Contract Information is generated for a contract and is not intended to be accessible to the public. Level 1 tests the basic cyber hygiene of the company.
  2. The second level is Advanced. This level focuses on protecting CUI, which is Controlled Unclassified Information. It aligns with security controls developed by the National Institute of Technology and Standards (NIST).
  3. The third level is the Expert level. This level is focused on the Department of Defense's highest priority programs and works on reducing risks from Advanced Persistent Threats (APTs). An organization must have processes in place to detect and respond to advanced persistent threats (APTs), including having the ability to monitor, scan, and process data forensics. An organization should also have a process to detect and respond to changing tactics, techniques, and procedures (TTPs) of APTs.

How many domains and practices does CMMC 2.0 have?

  1. Level 1 (Performed: 15 practices). To protect Federal Contract Information, a company must follow fundamental cyber hygiene procedures, requiring employees to change passwords frequently. This level includes an annual self-assessment and an annual affirmation.
  2. Level 2 (Managed: 110 practices). To protect CUI, a company needs to have a standardized management strategy that includes all the NIST 800-171 r2 security requirements and procedures. This level includes a triennial third-party assessment and an annual affirmation.
  3. Level 3 (Optimizing: 110+ practices). A company needs to implement standardized, optimized processes and extra, improved practices that can identify and react to evolving advanced persistent threats (APTs). This level includes a triennial government-led assessment and an annual affirmation.
CMMC 2.0 Levels and Practices

Why is CMMC compliance important?

The significance of CMMC connects back to the United States national security. The Defense Industrial Base (DIB) is a global industrial compound to support vital services and goods such as the design, manufacture, delivery, and maintenance of military weapons systems to satisfy the needs of the U.S. military.  The DIB supply chain comprises more than 300,000 businesses that work for the DoD under contract. Defense contractors must have their cybersecurity status inspected and confirmed by an impartial third party before signing a contract with the DoD. In addition to the complexity of what is at risk, studies show that the global cost of cybercrime is around $945 billion, which is more than 1% of the global GDP. The Department of Defense is putting in maximum effort to reduce the costs and risks through CMMC.

Below are the benefits of complying with CMMC:

  1. CMMC Compliance ensures the protection of sensitive (FCI/CUI)
    CMMC compliance is important because there is highly sensitive national information at risk. The government requires contractors to practice set standards and regulations to strengthen the information's security. Specifically, if a company is dealing with controlled unclassified information (CUI) or federal contract information (FCI), the company must have CMMC compliance to protect the information. CMMC ensures that companies working with the Department of Defense meet security protocols and standards.
  2. CMMC compliance will soon be a requirement for DoD contractors
    Once the rule-making is in effect, CMMC compliance will become a mandatory requirement for DIBs by the summer of 2023. The DIB Contractors will not be able to bid on DoD Contracts if they fail to comply with the appropriate CMMC Level.  
  3. To avoid penalties under The False Claim Act
    Contractors who make false statements or representations about their compliance with CMMC standards to obtain or retain a contract with the DoD could be subject to civil penalties, fines, and exclusion from future government contracts.
  4. Achieving CMMC compliance can provide many benefits to Federal Contractor
    Achieving CMMC compliance can provide many benefits to organizations, including increased credibility and competitiveness in the market, improved cybersecurity posture, and protection of sensitive information. Therefore, it is important for the organizations that handle CUI to comply with CMMC.

The CMMC Ecosystem

The CMMC Ecosystem has several stakeholders. Some of the most important are shown in the image below:

The CMMC Ecosystem
  1. OSC: Organization Seeking Certification is any organization seeking any of the CMMC Level 1 to Level 3 Certification.
  2. RP/RPA: Registered Practitioners and Registered Practitioner Advanced, accredited by Cyber-AB, are implementers and IT solution architects that provide consultative preparation services to the OSCs and either work as independent contractors or as members of a Registered Practitioner Organization (RPO).
  3. CCP/CCA: Certified CMMC Professional (CCP for Level 1) or Certified CMMC Assessor (CCA for Level 2) are individuals who have received training from a Licensed Training Provider (LTP) and are required to take and pass the certification exams. On passing the certification exam(s), they become certified assessors. They typically work for a C3PAO or can be independent.
  4. RPO: CMMC RPOs provide pre-assessment consulting and remediation services to OSCs and assist them during assessments. They deliver advisory and consulting services through RP and RPAs. They are consultative organizations or MSPs and do not conduct Certified CMMC Assessments.
  5. C3PAO: A CMMC Third-Party Assessment Organization (C3PAO) conducts assessments of OSCs by employing CCPs and CCAs based on their training and adherence to CMMC standards.
  6. DIBCAC: DIBCAC is a federal agency that leads the Department of Defense's (DoD) contractor cybersecurity risk mitigation efforts. DIBCAC assesses DoD contractors' compliance with the Defense Federal Acquisition Regulation Supplement (DFARS), NIST (SP)800-171 clause, and other clauses.
  7. DCISE: Defense Industrial Base Collaborative Information Sharing Environment (DCISE) is the operational hub of the Defense Industrial Base (DIB) Cybersecurity Program of the Department of Defense, focused on protecting intellectual property and safeguarding DoD content residing on or transiting through contractor unclassified networks. The public-private cybersecurity partnership provides a collaborative environment for crowd-sourced threat sharing at unclassified and classified levels. Cyber incidents outlined in the DFARS are submitted by OSCs to DC3/DCISE as mandatory reports; however, all other cyber activity can be reported voluntarily:
  8. Rated at the "Defined" level (Maturity Level 3) for Capability Maturity Model Integration for Services (CMMI-SVC)  Oversees a collaborative partnership with over 1,003 CDCs and U.S. Government (USG) agencies.  Has shared over 589,006 (and counting) actionable, non-submitting-source-attributable indicators.
  9. Provides no-cost forensics and malware analysis for DIB Partners.
  10. Disseminates cyber threat reports for both DIB and USG consumption (DIB partners access DCISE reporting via their DIBNET accounts, and USG members can access via SIPRNet Intelshare).
  11. Operates a 24/7/365 support hotline (1-877-838-2174) to assist submitters and DIB and USG Partners. 

Who does CMMC apply to?

DoD's DIB Supply Chain

CMMC is a requirement for all companies who want to work as a contractor with the Defense Industrial Base. Everyone involved in the defense contract supply chain, including contractors that work directly with the DoD and subcontractors who work with primes to carry out or complete contracts, must abide by the CMMC.

CMMC: From Readiness to Certification

What CMMC level do I need?

To qualify for government contracts, most businesses will need certification between one of the three levels. The Department of Defense is working with the CMMC Accreditation Body (Cyber-AB) to enforce the process, ensuring the validity and certifying independent third-party assessment organizations (C3PAOs).

The level necessary depends on whether the company is dealing with CUI or FCI. FCI would require the company to complete Level 1 and dealing with CUI would require the company to have achieved Level 2.

Download our free whitepaper that discusses Controlled Unclassified Information (CUI) and how to protect it best for free.
Download  Whitepaper
CUI Whitepaper

When will CMMC requirements start appearing in solicitations?

It is predicted that in the Department of Defense's timeline, CMMC requirements could appear in solicitations in May of 2023.

Currently, CMMC compliance is a soft requirement, but it is anticipated that it will become law by May 2023. Since CMMC compliance is a long journey, currently, they allow you to bid on contracts. However, in the future, the government will not allow companies to bid on the contract unless they are CMMC certified.

How long does it take to get CMMC certified?

Based on our NIST 800-171 and CMMC compliance preparatory services, below is a general timeframe that OSCs need to be aware of:

Since it is such a long process, the earlier the company begins, the greater advantage it will have before CMMC compliance becomes law.

CMMC 2.0 Compliance Timeline

What does the journey to CMMC certification look like?

The journey to CMMC certification is a long one. The company usually begins by identifying where to begin and what level they want to achieve. Your company can begin the journey to CMMC certification by familiarizing itself with the CMMC 2.0 framework.  It is important to have background knowledge and know all things CMMC to understand the journey's significance.

Here is what the journey to CMMC Compliance looks like:

CMMC Compliance Journey
Ask an Expert
  • Identifying external partners dedicated to making your company CMMC-certified is important to accelerate your company's process. Registered Provider Organizations (RPOs) can help guide you throughout your journey, which can be both time and cost-effective.
Create a CMMC Team
  • Within your organization, it is important to establish a team of resourceful individuals who can explicitly focus on the CMMC's progress. These employees should be knowledgeable on the topic and able to give their time and effort to help your company become successfully CMMC certified
Identify the Level
  • When beginning the CMMC journey, you must identify which CMMC level your company wants to achieve. This depends on which contracts and projects your company wants to work on now and in the future.
Scope the Environment
  • Once the level is clarified, your organization must scope your compliance boundary. This means there needs to be an in-depth investigation of who deals with CUI or FCI, which devices process it, and what organizational actions are related to it.
Gap Analysis and Remediation
  • Your company will need to perform a gap analysis. This means investigating and understanding the company's current state and identifying the gaps that the company is missing to meet all of the requirements for CMMC. If your company is already NIST compliant, it can put your company's status ahead. After gap analysis, there is remediation. Remediation addresses the issues and gaps in the analysis and fixes and patches up the problems.
Get Certified!
  • For CMMC Level 1, a senior official at the organization must self-attest by signing the System Security Plan. The organization also needs to upload SPRS (Supplier Performance Risk System) score to the DoD SPRS system.
  • For CMMC Level 2, an organization needs to find a C3PAO, a CMMC Third-Party Assessment Organization, and undergo an audit.
  • For CMMC Level 3, an organization needs to undergo Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) audit.

What are the challenges faced by small businesses to comply with CMMC?

Challenges faced by Small Business to comply with Cybersecurity Maturity Model Certification
  1. Limited resources
    Small enterprises may face difficulties in implementing security measures and fulfilling CMMC standards due to constraints such as limited financial resources, manpower and technology.
  2. Lack of expertise
    Small businesses may have difficulties in comprehending and adhering to CMMC requirements due to their limited knowledge and experience in cybersecurity.
  3. Limited access to information
    Small enterprises may face challenges in obtaining information about the CMMC standard and the steps required for compliance, making the certification process difficult to navigate.
  4. Limited access to vendors
    The limited availability of credible and approved CMMC readiness vendors or individuals to assist small businesses in their journey towards CMMC compliance.
  5. Limited budget
    The restricted financial resources of small businesses may pose a challenge in meeting the expenses associated with compliance and certification under the CMMC standard.
Take control of CMMC compliance! Limited budget? No problem. Contact now for expert assistance.

What are the CMMC 2.0 assessment requirements?

Below image show assessment requirements under CMMC 2.0

Cybersecurity Maturity Model Certification Models and Assessments

CMMC Level 1(Foundational): This Foundational level focuses on the protection of Federal Contract Information (FCI). Level 1 companies are required to self-assess and attest annually.

CMMC Level  2 (Advanced): This Advanced level focuses on the protection of Controlled Unclassified Information (CUI). Level 2 companies are required to undergo a triennial assessment by a C3PAO.

CMMC Level 3 (Expert): This Expert level focuses on the protection of CUI for DoD's highest priority programs Level 3 companies are required to do triennial government-led assessments.

What are some of the most challenging controls to implement?

Based on our past NIST 800-171 and CMMC compliance engagements with our customers, we observed that the following controls were typically difficult to implement and sustain operationally.

The most challenging controls to implements

Which controls are consistently failing DIBCAC assessments?

Around November of 2022, DIBCAC Director for the Defense Contract Management Agency (DCMA), Nick DelRosso, provided insights into the Top 10 controls often determined to be Other Than Satisfied (OTS) during DIBCAC assessments of DIB organizations.

CMMC Controls failing DIBCAC Assessments

What is the difference between Basic, Medium, and High assessments?

What is an SPRS?

The DoDI 5000.79 "Defense-Wide Sharing of Supplier Performance Information (PI)," published on October 15, 2019, established policy and assigned responsibilities for managing the defense-wide collection and sharing of performance information on suppliers, products, and services.

DoD Supplier Performance Risk System (SPRS) is a procurement risk analysis tool for Price, Item, and Supplier risk. The Price Risk tool compares industry prices to the average price paid by the government. The Item Risk tool flags items identified as high risk (based on critical safety/application or risk of counterfeiting). The Supplier Risk tool scores vendors on DoD-wide contract performance.

SPRS supports DoD Acquisition Professionals with meeting acquisition regulatory and policy requirements by providing the following:  

SPRS provides storage and access to the NIST SP 800-171 assessment scoring information. The NIST SP 800-171 Assessments module contains the assessment date, score, scope, and plan of the action completion date, Included Commercial and Government Entity (CAGE) code(s), System Security Plan (SSP) name, SSP version, SSP date, and confidence level.

The NIST SP 800-171 Basic Assessment cannot be performed in SPRS; SPRS only stores the results of NIST SP 800-171 Assessments. 

An "SPRS Cyber Vendor User" role is required for companies to enter/edit basic self-assessment information. One may be created if a record header for the Highest-Level Owner (HLO) does not exist. Once the HLO header has been created, assessments for CAGEs who fall within the HLO hierarchy may be added.

All DIBs, regardless of CMMC 2.0 Level, must upload their SPRS score, SSP, and POA&Ms into the DoD SPRS system.  

Are POA&Ms allowed in CMMC 2.0?

The Department of Defense (DoD) will permit the use of POA&Ms (Plan of Action and Milestones) for companies who have not yet met all the security controls at the time of award of defense contracts under CMMC 2.0. However, POA&Ms will not be allowed for the most critical security requirements, which are the most difficult to meet. The DoD uses a self-assessment method that assigns a weight of 1, 3, or 5 points to each of the 110 controls in NIST SP 800-171. The scoring starts at a maximum of 110, and points are subtracted for each control not yet implemented. As most controls are worth more than one point, the self-assessment scores can be negative and range from -203 to +110.

Although final information has not yet been released, Stacy Bostjanick, the director of the CMMC program for the DoD, stated in June 2022 that POA&Ms will be allowed for controls weighted at 1 or 3 points but not for controls weighted at 5 points.

The DoD also plans to set a minimum score that must be achieved when using POA&Ms for CMMC certification, and POA&Ms will have a time limit, which will be strictly enforced. The time limit has not been decided yet, but it is considered 180 days. It is also not yet known when the 180-day POA&M clock will start, but it is likely to be upon the award of a contract, either by DoD to a prime contractor or by a contractor to a subcontractor.  

Are waivers allowed in CMMC 2.0?

To maintain flexibility and the ability to act quickly, the Department of Defense (DoD) will allow for limited waivers in the CMMC 2.0 program. These waivers will only be granted for certain mission-critical contracts and require a detailed justification package, including a plan for risk mitigation and a timeline for meeting CMMC requirements. Approval for waivers will come from high-level DoD leadership and apply to the entire CMMC requirement, not just individual controls. More information on waivers will be established during the rulemaking process.

How much does CMMC Compliance Cost?

The CMMC assessment costs will depend upon several factors, including which CMMC level your company is achieving and the complexity of the DIB company's unclassified network for the certification boundary.

Cost of CMMC Compliance Certification

DoD will release a new cost estimate associated with the CMMC 2.0 program, which will be published on the Federal Register as part of the rulemaking process.

It is essential to note that the costs for implementing cybersecurity controls arise from the requirement to comply with and safeguard information, defined in FAR 52.204-21 and DFARS 252.204-7012.

Factors affecting the cost of CMMC Compliance

CMMC assessment expenses are predicted to be lower compared to CMMC 1.0 because the Department of Defense has intended to centralize the requirements at all levels instead of unique practices/processes, allowing organizations achieving Level 1 and some Level 2 programs to proceed with self-assessments instead of third-party assessments, and strengthen the third-party assessments.

According to DoD, there are approximately 300,000 organizations that would require CMMC. It's estimated that there are about 80,000 organizations that would require CMMC Level 2 and Level 3, and the rest would require CMMC Level 1 compliance.

How can an RPO like InterSec help in CMMC Compliance?

Achieving compliance with the Cybersecurity Maturity Model Certification (CMMC) can be challenging for DIB Contractors. However, by working with a Registered Provider Organization (RPO), contractors can gain access to the guidance, expertise, and resources necessary to successfully navigate the requirements and best practices for each maturity level.

RPOs can assist with the assessment process, provide training and resources, and offer feedback and recommendations for improvement. Partnering with an RPO can significantly increase a DIB Contractor's chances of quickly achieving and maintaining CMMC compliance.

InterSec, a Cyber-AB RPO, has years of experience helping Federal Contractors navigate complex compliance requirements. As a Cybersecurity organization, we provide end-to-end CMMC Compliance consulting. 

We provide a compliance-accelerated platform and rapid CUI scoping to begin your CMMC compliance journey. We have expertise in technical remediation and provide audits for your company. We are a dedicated team of professionals to help your company meet your CMMC needs through cost-effective solutions. Our bespoke solutions and services save your company valuable time, resources, and money in achieving CMMC compliance.

As a Cyber-AB authorized CMMC RPO, Intersec offers Consulting, Gap Assessment, Remediation, and Managed Security Services to ramp up and accelerate your CMMC Compliance Journey.
^