Welcome to our most comprehensive guide on CMMC 2.0! The Cybersecurity Maturity Model Certification (CMMC) is a program implemented by the U.S. Department of Defense (DoD) to ensure that organizations handling controlled unclassified information (CUI) have appropriate cybersecurity controls in place to protect sensitive information from unauthorized access, use, or disclosure. In addition, CMMC 2.0 introduces a tiered system of levels, ranging from Level 1 (Basic Cybersecurity Hygiene) to Level 3 (Advanced/Progressive).
But why is CMMC compliance important? As cyber threats evolve and become more sophisticated, organizations must prioritize cybersecurity to protect their assets and data. CMMC compliance will soon be a requirement for DoD contractors, with requirements appearing in solicitations starting by Fall 2023. If your organization handles CUI for the DoD, it is vital to understand which CMMC level you need and begin the journey toward certification.
There are many benefits to achieving CMMC compliance, including increased credibility and competitiveness in the market, improved cybersecurity posture, and protection of sensitive information. However, small businesses may face challenges in complying with CMMC, including limited resources and a lack of understanding of the process. The journey toward CMMC certification can take anywhere from several months to a year, depending on your organization's current cybersecurity posture and the level of certification you are seeking. The cost of CMMC compliance can vary, but it is essential to carefully consider your budget and work with a professional consulting firm to find a solution that fits your needs.
This guide will delve into these topics and more to provide you with a comprehensive understanding of CMMC 2.0 and the importance of achieving compliance. Here is the list of topics covered:
The origin of Cybersecurity Maturity Model CertificationIn 2015, the National Institute of Standards and Technology (NIST) released Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Subsequently, the Department of Defense (DoD) issued contract clause 252.204-7012 to enforce compliance by the Defense Industrial Base (DIB) with the NIST 800-171 control requirements. The DIB was required to self-attest their compliance with NIST SP 800-171's 110 controls by late 2017.
In 2020, the DoD released its Cybersecurity Maturity Model Certification (CMMC) 1.1 framework that mandated in early 2020 that all organizations exchanging CUI enforce the 110 security controls listed in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to safeguard the controlled unclassified information (CUI) of defense.
However, despite the existence of this regulation, CUI leakage persisted, endangering American national security. One reason this regulation was insufficient is that NIST 800-171 relied on self-assessments. This was problematic for a few reasons. For example, the security controls are complex, and the organization implementing or assessing themselves can easily misunderstand all of the requirements and incorrectly value their assessments. In addition, self-assessments are usually not regularly and consistently performed at organizations, which decreases the reliability and validity of the self-assessment. Another example is that complying with NIST 800-171 does not necessarily mean that security is ensured at the company. Even if the organization satisfies a security control requirement, it does not address the strength and maturity utilized to fulfill the requirement.
To address this problem, the DoD released its Cybersecurity Maturity Model Certification (CMMC) 1.1 framework in early 2020. The DoD subsequently released a simplified CMMC framework 2.0 in 2021. In 2022, DoD released a memorandum that stated:
The protection of controlled unclassified information on contractor information systems is critically important to the Department of Defense (DoD). To that end, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," requires contractors to provide adequate security on all covered contractor information systems, defined as an unclassified information system owned or operated by or for a contractor, and that processes, stores, or transmits covered defense information. Adequate security measures include, as applicable, implementation of the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations" in effect at the time the solicitation is issued or as authorized by the contracting officer.
March 2023 DoD is on pace to release a new DFARS Interim Rule that will codify CMMC into law via the DFARS 7021 clause. Once released, the Rule will allow CMMC requirements to appear in contracts.
In May 2023, DoD expects to include CMMC certification requirements in new DoD contracts. CMMC requirements will apply to prime contractors and all subcontractors throughout their supply chain.
CMMC scope includes
CMMC is a cost-effective solution to prevent CUI leakage by verifying that companies follow the NIST SP 800-171 security controls.
In addition to providing an accurate assessment of each company’s compliance status, CMMC also enables the DoD and other government agencies to issue corrective action plans (CAP) for those contractors that fail their audits. These CAPs allow companies to self-correct their deficiencies before losing access to classified information or being suspended from performing work on DoD contracts. As a result of CMMC’s security controls assessment, companies can now implement the appropriate corrective actions to protect CUI and prevent unauthorized disclosure.
CMMC was created to defend the defense industrial base (DIB) from increasingly frequent and sophisticated cyberattacks. It specifically intends to improve the security of federal contract information (FCI) and controlled unclassified information (CUI) transferred within the DIB.
The program is designed to help federal contractors improve their cybersecurity posture through a standardized maturity model.
The certification process involves conducting an assessment and submitting the results for evaluation by a third-party assessor. The process begins with a DIB-specific security assessment designed to identify gaps in the organization’s cybersecurity posture. This assessment provides evidence of an organization’s compliance with NIST Special Publication 800-171. The results are then evaluated by a third-party assessor, who will determine whether or not a contractor can become CMMC certified. The Cyber AB is the exclusive authorized non-governmental partner of the U.S. Department of Defense in setting up and managing the CMMC conformance regime. It is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC).
The system is designed to be flexible and scalable, allowing contractors to assess their cybersecurity maturity level by completing the assessment process at their own pace. Contractors can use the results of this assessment as a baseline for improvement, or they may simply choose to participate to receive certification without having to perform any additional work beyond submitting the results for evaluation. As threats change, CMMC 2.0 expands on the original CMMC 1.0 framework to dynamically improve DIB cybersecurity. The CMMC framework ensures accountability, safeguards critical unclassified information shared by the DoD, and reduces obstacles to compliance with DoD regulations. Three levels based on well-recognized NIST cybersecurity standards will replace the five cybersecurity compliance levels in CMMC 1.0.
The CMMC 2.0 framework has three levels:
With the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, the Department is introducing several key changes that build on and refine the original program requirements. These are:
CMMC compliance is important because there is highly sensitive national information at risk, and the government requires contractors to practice set standards and regulations in order to strengthen the security with which the information is dealt. Specifically, if the company is dealing with controlled unclassified information (CUI) or federal contract information (FCI), the company is required to have CMMC compliance in order to protect the information. CMMC ensures that companies working with the Department of Defense are meeting the set security protocols and standards.
The significance of CMMC connects back to the national security of the United States. The Defense Industrial Base (DIB) is a global industrial compound with the goal of supporting vital services and goods such as the design, manufacture, delivery, and maintenance of military weapons systems in order to satisfy the needs of the U.S. military. The DIB supply chain is made up of more than 300,000 businesses that work for the DoD under contract. Defense contractors must have their cybersecurity status inspected and confirmed by an impartial third party before signing a contract with the DoD. In addition to the complexity of what is at risk, studies show that the estimated global cost of cybercrime is around$945 billion, which is more than 1% of the global GDP. The Department of Defense is putting in maximum effort to reduce the costs and risks through CMMC.
It is predicted that in the Department of Defense’s timeline, CMMC requirements could appear in solicitations in May of 2023. Currently, CMMC compliance is a soft requirement; however, it will be law next year. Since CMMC compliance is a long journey, they allow you to bid on contracts presently; however, next year, the government will not allow companies to bid on contracts unless they are CMMC certified.
CMMC is a requirement for all companies who want to work as a contractor with the Defense Industrial Base. Everyone involved in the defense contract supply chain, including contractors that work directly with the DoD and subcontractors who work with primes to carry out or complete contracts, must abide by the CMMC.
According to DoD, there are approximately 300,000 organizations that would require CMMC. It's estimated that there are about 80,000 organizations that would require CMMC Level 2 and Level 3, and the rest would require CMMC Level 1 compliance. Most businesses need certification between one of the three levels to qualify for government contracts. The Department of Defense is working with the CMMC Accreditation Body (Cyber-AB) to enforce the process, ensuring the validity and certifying independent third-party assessment organizations (C3PAOs). These third-party assessors will also evaluate and verify the CMMC certification process and assess compliance with quality management systems. Assessors are expected to be neutral, independent third parties who can conduct assessments per CMMC standards and requirements.
The level necessary depends on whether the company is dealing with CUI or FCI. FCI would require the company to complete level 1, and dealing with CUI would require the company to have achieved level 2.
There are many benefits of CMMC compliance. Your company will gain cybersecurity resilience and be better prepared for security threats. This would give the company the advantage of better protecting its assets and data. The company would be able to build on proposals with the government, and they would have the edge against competitors. Having CMMC compliance for your company will make your company more reliable as you declare that the company takes all necessary security measures and is better equipped for dealing with sensitive information compared to other companies.
One of the challenges would be costs since the CMMC is a pricey journey. Depending on the levels and the information dealt with, the price varies; however, it increases as you choose to achieve more levels, which may be out of a small business's budget. Most small businesses also do not know where or how to begin their journey. It would be best for the small company to hire external vendors to help them gain more knowledge and proceed on the right track. In addition, small businesses have little to no staff, and without experts on the topic, it would be difficult for the business to figure out how to comply with CMMC.
The Department of Defense estimates that it takes 9 to 24 months to become CMMC certified. The first level would take between 1 to 3 months, the second level would take between 6 to 18 months, and the third level would take between 9 to 23 months. Since it is such a long process, the earlier the company begins, the greater advantage it will have before CMMC compliance becomes law in the next year.
The journey to CMMC certification is a long one. The company usually begins by identifying where to begin and what level they want to achieve. Your company can begin the journey to CMMC certification by familiarizing itself with the CMMC 2.0 framework. It is important to have the background knowledge and know all things CMMC to understand the significance of the journey to proceed with. The journey to CMMC certification can look like this:
The CMMC assessment costs will depend upon several factors, including which CMMC level your company is achieving and the complexity of the DIB company's unclassified network for the certification boundary. DoD will release a new cost estimate associated with the CMMC 2.0 program, which will be published on the Federal Register as part of the rulemaking process. It is essential to note that the costs for implementing cybersecurity controls arise from the requirement to comply with and safeguard information, which is defined in FAR 52.204-21, and DFARS 252.204-7012.
CMMC assessment expenses are predicted to be lower compared to CMMC 1.0 because the Department of Defense has intended to: centralize the requirements at all levels instead of unique practices/processes, allowing organizations achieving Level 1 and some Level 2 programs to proceed with self-assessments instead of third-party assessments, and strengthen the third-party assessments.
InterSec has been helping organizations become CMMC certified for the past 8 years. As a DIB organization with years of experience, we provide compliance assessments and support your organization's journey and guidance toward CMMC compliance.
We provide a compliance-accelerated platform and rapid CUI scoping to begin your CMMC compliance journey. We have expertise in technical remediation and provide audits for your company as well. We are a dedicated team of professionals to help your company meet your CMMC needs through cost-effective solutions. Our bespoke solutions and services save your company valuable time, resources, and money in achieving CMMC compliance.