An Early Look at CMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) is a standard developed by the Department of Defense (DoD) to protect information in the Defense Industrial Base (DIB). The CMMC applies to any organization in the DoD supply chain, including contractors and subcontractors. It is designed to protect these two types of data:
Federal Contract Information (FCI): FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.
Controlled Unclassified Information (CUI): CUI is defined as information that does not carry classified status but needs to be safeguarded due to government policies and laws or ordinances. Examples of CUI relevant to the CMMC include:
- Data on defense, nuclear, and natural resources infrastructures
- Financial records
- International agreements
- Global and domestic defense data
- Provisional and statistical data from governmental agencies
Introduced in 2019, CMMC is a young standard, but the DoD has already announced CMMC 2.0. The new version is streamlined and offers more clarity and flexibility regarding the requirements organizations must meet for certification or compliance. The changes in 2.0 are also intended to reduce costs for small businesses.
CMMC 2.0 is still in the rulemaking process. The expectation is certification will be a requirement to secure DoD contracts by 2025. There are currently still a lot of unknowns about CMMC 2.0, but we do know some of the significant changes from the original version.
Three Certification Levels
The number of certification levels is being reduced from five to three. We are still waiting on the specifics of the certification process for each level.
Level 1: Foundational
Organizations can conduct an annual self-assessment to show Level 1 compliance. They will need to meet the requirements of 17 practices that represent the safeguarding requirements of the Federal Acquisition Regulation (FAR) 52.204.21.
Level 1 compliance will be an appropriate target for organizations that handle FCI, but not CUI.
Level 2: Advanced
This certification level will be split into two groups. Organizations that handle CUI will need to work with a C3PAO to complete certification. Those organizations will need re-certification every three years. Organizations that don’t work with CUI will be able to do an annual self-assessment.
All organizations seeking Level 2 certification need to prove they implemented the requirements of NIST SP 800-171 (110 practices). Level 2 will likely be the most common.
Level 3: Expert
The most rigorous level of certification. Level 3 should be the target for organizations accessing CUI for high-priority DoD projects. For Level 3 certification organizations must meet all the requirements found in NIST 800-172. Assessments for Level 3 certification will be government-led and need to be completed every three years.
Plans of Action and Milestones Now Allowed
The original CMMC did not allow for Plans of Action and Milestones (POA&M), which are used to document gaps and details on how the gaps will be addressed. Under CMMC 2.0, contractors can use POA&Ms to achieve certification if specific deadlines for mitigating gaps are included.
CMMC 2.0 Control Domains
There are 14 control (aka practice) domains in CMMC 2.0, down from 17 in the original. Each domain is constructed of controls that describe processes or practices your company will need to implement. Only a few of these areas are necessary for Level 1 compliance. They are all required to obtain a Level 2 or 3 certification.
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Systems and Communications Protection
- System and Information Integrity
Preparing for CMMC 2.0 Certification
Here are some actions your organization can take now to prepare for a successful CMMC 2.0 assessment.
Assess Your Data
Do your DoD contracts involve working with FCI, CUI, or both? The type of information you will handle will determine if you need to go the Level 1,2, or 3 route.
Prepare Your Documentation
Be sure all your cybersecurity policies and procedures are documented, have been recently reviewed, and would hold up the scrutiny of an audit.
Conduct the Appropriate Gap Assessment
When you’ve determined what certification level is right for your business, conduct a gap assessment against the following corresponding standards:
Level 1 – FAR
Level 2 – NIST 800-171
Level 3 – NIST 800-172
Remediate the Gaps
Take action on the discoveries from the gap assessment. If you create any POA&Ms, be sure they document your remediation plans, identify the resources required, and establish milestones and completion dates.
CompliancePoint has a team of cybersecurity professionals that can guide your organization through every step of the CMMC certification process. Contact us at connect@compliancepoint.com to learn more about how we can help.
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.