The Cybersecurity Maturity Model Certification (CMMC) is an emerging program created to ensure cyber protection of vulnerable Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) for companies within the Defense Industrial Base (DIB).
By incorporating a set of cybersecurity requirements, this program enhances the data protection within acquisition programs and assures that Defense contractors and subcontractors are using secure measures while accessing and exchanging sensitive government information.
November 4, 2021, the Office of the Secretary of Defense (OSD) released an update to this program, CMMC 2.0. We will look into what changed, since CMMC 1.0 became effective on November 30, 2020, and what new requirements came to light with an amended version of this CMMC program.
3 Key Features That Remained Unchanged
- CMMC requires progressively advanced levels of cybersecurity standards implementation for those companies that are entrusted with national security information, depending on its type and sensitivity.
- Prime contractors are responsible for the process of information flow down to subcontractors.
- By 2026, DoD contractors that handle CUI and FCI are required to achieve a particular CMMC level as a condition of contract award.
In September 2020, the Department of Defense (DoD) published an interim rule to DFARS in the Federal Register (DFARS Case 2019-D041) which implemented the DoD’s initial vision for CMMC 1.0.
On November 30, 2020, the interim rule became effective, establishing a five-year phase-in period.
The DoD initiated an internal review earlier this year, based on more than 850 public comments in response to the DFARS rule. The internal review led to the refinement of the policy and CMMC program implementation and the recent announcement of the release of CMMC 2.0.
For most organizations in the Defense Industrial Base (DIB), the only change is now they will be required to certify at Level 2 (previous Level 3 under CMMC 1.0). However, with the implementation of CMMC 2.0, the DoD has introduced fundamental changes (refer to figure 1) that build upon and refine the original program requirements that organizations should understand and plan for accordingly.
3 Levels instead of 5
CMMC 2.0 focuses on the most critical cybersecurity requirements, reducing the total number of certification levels from 5 to 3. It eliminates transitional levels 2 & 4 used in CMMC 1.0. The revised levels are marked accordingly as Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).
Similar to its previous version, CMMC 2.0 is based on NIST Cybersecurity standards. Thus, the Advanced level will require full implementation of 110 NIST SP 800-171 CUI controls and the Expert level will include additional cybersecurity requirements found in NIST SP 800-172 to further protect CUI.
It’s important to note that Level 2 removes 21 unique CMMC controls previously derived from various sources such as CERT RMM v1.2, NIST 800-53, NIST 800-171B, ISO 27002, CIS CSC 7.1, and others.
Reduced Assessment Costs with Higher Accountability
Organizations at the Foundational (Level 1) can now self-assess, while Advanced (Level 2) CMMC compliance requirements are a mix of self-assess for some programs and triennial 3rd-party audits for more critical or DoD-prioritized information. In addition, there will be an increase in oversight of professional and ethical standards for certified third-party organization (C3PAO) assessors.
Collaboration, Flexibility, and Speed
Under specific conditions, companies may receive waivers or obtain certification while having a Plan of Action and Milestones (POA&Ms) with the expectation that CMMC requirements will be met within a specific amount of time.