The Department of Defense has announced the launch of Cybersecurity Maturity Model Certification 2.0 (or CMMC 2.0). This is a revised and updated version of CMMC, a 2020 framework of requirements which regulate the extensive network of contractors and subcontractors which work on DoD projects.
For those who wish to partner with the DoD, CMMC 2.0 is a critical program to understand. Keep reading to learn more about these changing requirements.
What Is CMMC 2.0 Accomplishing?
First, what is CMMC 2.0 meant to accomplish? The expanded Cybersecurity Maturity Model Certification program is designed to meet three recently established goals:
- Reduce bureaucratic inefficiencies for small and medium-sized businesses working on defense contracts.
- Establish priorities in safeguarding sensitive and critical DoD information.
- Increase the formal framework and culture of cooperation between the DoD and the cybersecurity industry with regard to security.
These are in addition to the primary deliverables of the original CMMC program:
- To both enable and protect the warfighter through the safeguarding of sensitive information.
- To enforce accountability while reducing barriers to compliance with DoD regulations.
- To enhance DoD cybersecurity to protect against ongoing and future threats.
- To participate in creating and maintaining a collaborative culture of cybersecurity awareness and cooperation between DoD agencies and the industry.
- To maintain rigorous professional standards, ethics, and best practices.
The refreshed program builds heavily on the former Cybersecurity Maturity Model Certification for defense contractors, which was launched in order to ensure that these contractors had adequate cybersecurity compliance safeguards in place to prevent Controlled Unclassified Information (CUI) from being accessed by hostile actors.
Although it has already been partially unveiled, the DoD has made it clear that the extensive rulemaking process for CMMC 2.0 is expected to take up to two years. In addition, an interim Defense Federal Acquisition Regulation System (DFARS) rule has established a five-year period for the phasing in of CMMC 2.0. During this timeframe, full compliance with CMMC 2.0 is only mandatory in the case of specific pilot contracts, as determined by the Under Secretary of Defense for Acquisition and Sustainment.
Key Changes of DoD CMMC 2.0 Explained
To explain the DoD’s CMMC 2.0, it is important to understand it as a revamping of 2020’s CMMC, rather than a separate and original compliance program. It builds on CMMC’s foundation, with a number of key changes designed to streamline compliance, cleave more closely to contemporary private sector cybersecurity standards, and provide a degree of flexibility to contractors (and subcontractors) that would otherwise not meet key requirements.
Reducing the Number of Compliance Levels
With the CMMC in 2020, the DoD created five tiered compliance levels, illustrated in the graphic below. To learn more about the original compliance program, including an overview of the rationale behind its conception and implementation as well as the original timeframe, read our original CMMC blog post.
The new draft of CMMC requirements has consolidated the previous five levels into just three:
CMMC 2.0 Level 1: Foundational
Level 1, otherwise known as the Foundational level, covers contractors and subcontractors that only work with Federal Contract Information (FCI) as defined by the Federal Acquisition Regulation. According to DoD figures, there will be 140,000 companies covered by this bracket.
CMMC 2.0 Level 2: Advanced
Level 2, otherwise known as the Advanced level, will cover contractors and subcontractors that work with Controlled Unclassified Information (CUI). DoD numbers suggest that 80,000 companies handle CUI, with approximately half of those handling “critical national security information.”
In the DoD’s CMMC 2.0 program, this Advanced level will correspond to the NIST SP 800-171.
CMMC 2.0 Level 3: Expert
Level 3, otherwise known as the Expert level, will be the highest level in CMMC 2.0. This tier is for contractors and subcontractors that work with the most sensitive levels of DoD information.
The DoD has articulated that around 500 companies will be required to comply with the Expert compliance level. Part of the NIST SP 800-172 requirements will inform the development of this tier for CMMC 2.0.
What to Expect from Each New CMMC Level
The DoD’s CMCC 2.0 program is phasing in a versatile combination of compliance systems which will utilize third-party expertise in the industry. This should boost efficiency and ensure that highly sensitive information will be securely stored, accessed, and processed. A goal of CMMC 2.0 is to bring contractors in line with current cybersecurity industry standards, as published by the National Institute of Standards and Technology (NIST).
Introducing Self-Assessment in CMMC 2.0
Companies regulated at the Foundational security level (1) will be allowed to demonstrate compliance through self-assessments. A defined subset of Advanced level (2) companies will also be allowed to demonstrate compliance through this route.
This is a marked departure from the requirements of CMMC, which demanded third-party assessments for all contractors and subcontractors at every level of compliance. As the result of significant concerns from the cybersecurity industry about the certification process becoming onerous and prohibitively expensive, CMMC 2.0 will now only demand third-party assessments for a much smaller subset of contracting and subcontracting companies.
Eligibility for Self-Assessment, Third-Party Assessment, and DoD Assessment
Companies within the (1) and (2) compliance bands will only be required to undertake a self-assessment, so long as they do not handle Controlled Unclassified Information that is critical to national security. It should be noted that organizations which fall into this category will have to undertake documented self-assessments every year, while third-party compliance certifications will last for three years.
Those Level 2 contractors and subcontractors which handle Controlled Unclassified Information that is regarded as critical to national security will require compliance assessments on a triannual basis. The assessments themselves are to be undertaken by a Certified Third-Party Assessment Organization (C3PAO).
The highest tier of compliance, the Expert bracket, will have to be audited by the DoD itself via its internal agency, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center. As in the case of the subset of Level 2 companies working with CUI, the assessments of this bracket will be undertaken every three years.
DoD CMMC 2.0 Exceptions Explained
Under CMMC, a contractor or subcontractor was required to be fully compliant with their CMMC level before the contract could be awarded. Under the new requirements, in certain cases, a company will be permitted to begin work on a contract before compliance has been demonstrated.
In these limited cases, the contractor or subcontractor will have to demonstrate that it has Plans of Action and Milestones to achieve proper certification in place. CMMC 2.0 also builds in the possibility for certain requirements to be waived in exceptional cases, subject to approval by the DoD.
The Decision Making Process for CMMC 2.0
The decision to update and revise the CMMC program was the result of an internal consultation, co-chaired by the Deputy Assistant Secretary of Defense for Cyber Policy, Mieke Eoyang; along with the Executive Director of US Cyber Command, David Frederick; the Deputy Information Officer for Cybersecurity, David McKeown; and the Assistant Secretary of Defense for Industrial Policy, Jesse Salazar; as well as senior leaders from 18 department components.
Industry bodies were also invited to comment and Congress provided feedback, with over 850 public comments being sought and factored into the decision.
Salazar has stated that the new CMMC 2.0 program will “dramatically strengthen the cybersecurity of the defense industrial base.” He also praised the “more collaborative relationship with industry” which CMMC 2.0 will usher in, stating that “these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
Contact Us for CMMC Preparedness Services
Sentient Digital, Inc. is proud of our status as a Registered Provider Organization (RPO) with the CMMC Accreditation Body. As an RPO, we are trusted to assist third-party contractors and subcontractors with earning their CMMC compliance certifications by helping them to identify any cybersecurity vulnerabilities which might otherwise prevent them from being awarded defense contracts.
SDi offers preparedness services as well as advice and consultations, plus pre-assessment audits to guarantee that clients are CMMC ready. To see how we can help your organization work toward a CMMC 2.0 certification or to understand more about the services we can provide, contact us today.
In addition, SDi is open to partnering with other prime contractors and subcontractors on DoD projects. Our areas of expertise, qualifications, experience, and certifications allow us to provide our partners with a significant professional edge.
SDi is a Veteran-owned business that provides technology solutions to defense, federal, and commercial clients via numerous delivery models. Read about our partnership program and contact us for more information about partnering to fulfill government contracts.