An Early Look at CMMC 2.0

Update: This article has been updated to reflect the DoD’s publication of the draft CMMC Proposed Rule (CMMC 2.0).

The Cybersecurity Maturity Model Certification (CMMC) is a standard developed by the Department of Defense (DoD) to protect information in the Defense Industrial Base (DIB). The CMMC applies to any organization in the DoD supply chain, including contractors and subcontractors. It is designed to protect these two types of data:

Federal Contract Information (FCI): FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.

Controlled Unclassified Information (CUI): CUI is defined as information that does not carry classified status but needs to be safeguarded due to government policies and laws or ordinances. Examples of CUI relevant to the CMMC include:

• Data on defense, nuclear, and natural resources infrastructures
• Financial records
• International agreements
• Global and domestic defense data
• Provisional and statistical data from governmental agencies

On December 26^th, 2023, the DoD published a draft of the CMMC Proposed Rule, which implements CMMC 2.0.  The new version is streamlined and offers more clarity and flexibility regarding the requirements organizations must meet for certification or compliance. The changes in 2.0 are also intended to reduce costs for small businesses. The 60-day comment period on the draft ends on February 26^th.

CMMC 2.0 is still in the rulemaking process. The draft of the CMMC Proposed Rule states the following about the implementation timeline:

“The DoD is implementing a phased implementation for CMMC 2.0 and intends to introduce CMMC requirements in solicitations over a three-year period to provide appropriate ramp-up time. This phased implementation is intended to minimize the financial impacts to defense contractors, especially small businesses, and disruption to the existing DoD supply chain. After CMMC is implemented in acquisition regulation, DoD will include CMMC self-assessment requirements in solicitations when warranted by the type of information that will be handled by the contractor of subcontractor(s). CMMC requirements for Levels 1, 2, and 3 will be included in solicitations issued after the phase-in period when warranted by any FCI and/or CUI information protection requirements for the contract effort. In the intervening period, Government Program Managers will have discretion to include CMMC requirements or exclude them and rely upon existing DFARS Clause 252.204–7012 requirements, in accordance with DoD policy. As stated in 32 CFR 170.20(a), there is qualified standards acceptance between DCMA DIBCAC High Assessment and CMMC Level 2, which will result in a staggering of the dates for new CMMC Level 2 assessments. The implementation period will consist of four (4) phases as set forth in 32 CFR 170.3(e), during which time the Government will include CMMC requirements in certain solicitations and contracts. During the CMMC phase-in period, program managers and requiring activities will be required to include CMMC requirements in certain solicitations and contracts and will have discretion to include in others.

A purpose of the phased implementation is to ensure adequate availability of authorized or accredited C3PAOs and assessors to meet the demand.”

Here are some significant changes from the original CMMC and CMMC 2.0:

Three Certification Levels

The number of certification levels is being reduced from five to three. We are still waiting on the specifics of the certification process for each level.

Level 1: Foundational

Organizations can conduct an annual self-assessment to show Level 1 compliance. They will need to meet the requirements of 17 practices that represent the safeguarding requirements of the Federal Acquisition Regulation (FAR) 52.204.21.

Level 1 compliance will be an appropriate target for organizations that handle FCI, but not CUI.

Level 2: Advanced

This certification level will be split into two groups. Organizations that handle CUI will need to work with a C3PAO to complete certification. Those organizations will need re-certification every three years. Organizations that don’t work with CUI will be able to do an annual self-assessment.

All organizations seeking Level 2 certification need to prove they implemented the requirements of NIST SP 800-171 (110 practices). Level 2 will likely be the most common.

Level 3: Expert

The most rigorous level of certification. Level 3 should be the target for organizations accessing CUI for high-priority DoD projects. For Level 3 certification organizations must meet all the requirements found in NIST 800-172. Assessments for Level 3 certification will be government-led and need to be completed every three years.

Plans of Action and Milestones Now Allowed with Limitations

The original CMMC did not allow for Plans of Action and Milestones (POA&M), which are used to document gaps and details on how the gaps will be addressed. Under CMMC 2.0, contractors can use POA&Ms to achieve certification if specific deadlines for mitigating gaps are included, but with specific limitations and requirements. The key aspects of POA&Ms in the new CMMC proposed rule are as follows:

• POA&Ms are allowed under the CMMC for certain requirements and for a limited time. Specifically, all POA&Ms must be closed within 180 days of the initial assessment.
• POA&Ms are not permitted for Level 1 assessments in the CMMC framework. However, they are allowed for Level 2 assessments under specific conditions.
• For CMMC Level 2, POA&Ms are allowed to comply with requirements not met at the time of assessment. However, there are restrictions, such as not being permitted for a number of controls and being allowed only if a contractor achieves a particular assessment score.
• Organizations seeking CMMC certification do not need a perfect score, but they need to achieve a minimum of 80% or 88 out of 110. Only 1-point controls can be considered for POA&Ms, but not all 1-point controls are eligible for this.

CMMC 2.0 Control Domains

There are 14 control (aka practice) domains in CMMC 2.0, down from 17 in the original. Each domain is constructed of controls that describe processes or practices your company will need to implement. Only a few of these areas are necessary for Level 1 compliance. They are all required to obtain a Level 2 or 3 certification.

1. Access Control
2. Audit and Accountability
3. Awareness and Training
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection  
9. Personnel Security  
10. Physical Protection
11. Risk Management
12. Security Assessment
13. Systems and Communications Protection
14. System and Information Integrity

Preparing for CMMC 2.0 Certification

Here are some actions your organization can take now to prepare for a successful CMMC 2.0 assessment.

Assess Your Data

Do your DoD contracts involve working with FCI, CUI, or both? The type of information you will handle will determine if you need to go the Level 1,2, or 3 route.

Prepare Your Documentation

Be sure all your cybersecurity policies and procedures are documented, have been recently reviewed, and would hold up the scrutiny of an audit.

Conduct the Appropriate Gap Assessment

When you’ve determined what certification level is right for your business, conduct a gap assessment against the following corresponding standards:

Level 1 – FAR

Level 2 – NIST 800-171

Level 3 – NIST 800-172

Remediate the Gaps

Take action on the discoveries from the gap assessment. If you create any POA&Ms, be sure they document your remediation plans, identify the resources required, and establish milestones and completion dates.

For more in-depth information on CMMC, listen to our CMMC: The Requirements, Challenges, and Benefits podcast.

CompliancePoint has a team of cybersecurity professionals that can guide your organization through every step of the CMMC certification process. Contact us at connect@compliancepoint.com to learn more about how we can help.