An Early Look at CMMC 2.0

The Cybersecurity Maturity Model Certification (CMMC) is a standard developed by the Department of Defense (DoD) to protect information in the Defense Industrial Base (DIB). The CMMC applies to any organization in the DoD supply chain, including contractors and subcontractors. It is designed to protect these two types of data:

Federal Contract Information (FCI): FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.

Controlled Unclassified Information (CUI): CUI is defined as information that does not carry classified status but needs to be safeguarded due to government policies and laws or ordinances. Examples of CUI relevant to the CMMC include:

• Data on defense, nuclear, and natural resources infrastructures
• Financial records
• International agreements
• Global and domestic defense data
• Provisional and statistical data from governmental agencies

Introduced in 2019, CMMC is a young standard, but the DoD has already announced CMMC 2.0. The new version is streamlined and offers more clarity and flexibility regarding the requirements organizations must meet for certification or compliance. The changes in 2.0 are also intended to reduce costs for small businesses.

CMMC 2.0 is still in the rulemaking process. The expectation is certification will be a requirement to secure DoD contracts by 2025. There are currently still a lot of unknowns about CMMC 2.0, but we do know some of the significant changes from the original version.

Three Certification Levels

The number of certification levels is being reduced from five to three. We are still waiting on the specifics of the certification process for each level.

Level 1: Foundational

Organizations can conduct an annual self-assessment to show Level 1 compliance. They will need to meet the requirements of 17 practices that represent the safeguarding requirements of the Federal Acquisition Regulation (FAR) 52.204.21.

Level 1 compliance will be an appropriate target for organizations that handle FCI, but not CUI.

Level 2: Advanced

This certification level will be split into two groups. Organizations that handle CUI will need to work with a C3PAO to complete certification. Those organizations will need re-certification every three years. Organizations that don’t work with CUI will be able to do an annual self-assessment.

All organizations seeking Level 2 certification need to prove they implemented the requirements of NIST SP 800-171 (110 practices). Level 2 will likely be the most common.

Level 3: Expert

The most rigorous level of certification. Level 3 should be the target for organizations accessing CUI for high-priority DoD projects. For Level 3 certification organizations must meet all the requirements found in NIST 800-172. Assessments for Level 3 certification will be government-led and need to be completed every three years.

Plans of Action and Milestones Now Allowed

The original CMMC did not allow for Plans of Action and Milestones (POA&M), which are used to document gaps and details on how the gaps will be addressed. Under CMMC 2.0, contractors can use POA&Ms to achieve certification if specific deadlines for mitigating gaps are included.

CMMC 2.0 Control Domains

There are 14 control (aka practice) domains in CMMC 2.0, down from 17 in the original. Each domain is constructed of controls that describe processes or practices your company will need to implement. Only a few of these areas are necessary for Level 1 compliance. They are all required to obtain a Level 2 or 3 certification.

1. Access Control
2. Audit and Accountability
3. Awareness and Training
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection  
9. Personnel Security  
10. Physical Protection
11. Risk Management
12. Security Assessment
13. Systems and Communications Protection
14. System and Information Integrity

Preparing for CMMC 2.0 Certification

Here are some actions your organization can take now to prepare for a successful CMMC 2.0 assessment.

Assess Your Data

Do your DoD contracts involve working with FCI, CUI, or both? The type of information you will handle will determine if you need to go the Level 1,2, or 3 route.

Prepare Your Documentation

Be sure all your cybersecurity policies and procedures are documented, have been recently reviewed, and would hold up the scrutiny of an audit.

Conduct the Appropriate Gap Assessment

When you’ve determined what certification level is right for your business, conduct a gap assessment against the following corresponding standards:

Level 1 – FAR

Level 2 – NIST 800-171

Level 3 – NIST 800-172

Remediate the Gaps

Take action on the discoveries from the gap assessment. If you create any POA&Ms, be sure they document your remediation plans, identify the resources required, and establish milestones and completion dates.

CompliancePoint has a team of cybersecurity professionals that can guide your organization through every step of the CMMC certification process. Contact us at connect@compliancepoint.com to learn more about how we can help.