As a leading CMMC consultant in our industry, we keep our clients and readership up to date on the latest developments in the roll-out of CMMC mandates.
A little history on CMMC
The Cybersecurity Maturity Model Certification (CMMC) is the Government’s standard to mandate cybersecurity policies for contractors across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive set of processes and practices to achieve a cybersecurity maturity level. CMMC provides increased assurance to the Department of Defense that a company can adequately protect sensitive unclassified information to safeguard and secure our nation’s supply chain.
Any organization that contracts with the Department of Defense (“DoD”) will require some level of the CMMC unless you are only selling commercial-off-the-shelf products.
So, what’s CMMC 2.0?
In November 2021, amidst much confusion regarding the maturity levels and to whom CMMC applies, the DoD announced changes to the original CMMC model (“CMMC 1.0”), including a reduction in the maturity levels from five to three and the processes for assessments and certifications. The revised model is called CMMC 2.0.
Comparing CMMC 1.0 to CMMC 2.0
In our May 2021 Abel Solutions’ Insight, we explained how CMMC consisted of five levels and how Levels 2 and 4 were transitional stages for the next level. CMMC 2.0 has simplified this process by removing those levels and consolidating them to three levels in CMMC 2.0.
CMMC 2.0 Level 1
CMMC 2.0 Level 1 is considered the Foundational Level cybersecurity and correlates to Level 1 from CMMC 1.0. This level is geared towards businesses that provide general supplies and services. CMMC Level 1 focuses on the protection of FCI if you do not store or process CUI or CDI. This CMMC level is considered the Foundational Level of Cyber Hygiene and consists of 17 basic cybersecurity practices. One main difference between CMMC 1.0 and 2.0 for Level 1 is that you can complete an annual self-assessment without the need for a certified third-party assessment.
CMMC 2.0 Level 2
CMMC 2.0 Level 2 is considered an Advanced Level of cybersecurity and correlates to Level 3 from CMMC 1.0. This level consists of 110 security practices and aligns with the NIST SP 800-171. Level 2 focuses on businesses that store or manage CUI or CDI. Level 2 also removes the additional CMMC 1.0 unique security practices and maturity process requirements. It is now a mirror of the 800-171.
It was initially thought that Level 2 could perform a self-assessment if it did not handle the most sensitive CUI that is critical to national security. That has already changed since the initial release of CMMC 2.0.
All organizations desiring to attain Level 2 will need to undergo a Certified Third-Party Assessment every three years.
CMMC 2.0 Level 3
CMMC 2.0 Level 3 is considered an Expert Level of cybersecurity and correlates to Level 5 from CMMC 1.0. This level will focus on businesses that handle the most sensitive CUI. Level 3 is planned to be based on the NIST SP 800-172.
This publication is considered a supplement to the NIST 800-171.
CMMC 2.0 will allow businesses to receive contracts with a Plan of Action & Milestones (POA&M) in place to complete the CMMC requirements. CMMC 1.0 would not have allowed you to receive a contract until you had satisfied the items in your POA&M.
The fundamental changes from CMMC 1.0 to CMMC 2.0 are focused on streamlining the maturity model, aligning with NIST cybersecurity standards, reducing assessment costs, and adding flexibility.
The CMMC still consists of 17 domains with a list of practices defined in each domain. You can download this spreadsheet to map the domains with the associated practices by each level.
A little help on some acronyms
FCI is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
The official timeline—for CMMC to be fully implemented by the end of 2025—has not changed; however, it has been rumored that the DoD is not committed to all contracts meeting the requirement by that deadline. The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period. It would be prudent to get started today to be in a position to take advantage of these opportunities!