Most US Department of Defense (DoD) government contractors have heard about the forthcoming Cybersecurity Maturity Model Certification (CMMC) requirements by now. But if you’re unfamiliar with the announcement, the DoD has issued a recent update to the Cybersecurity Maturity Model Certification known as CMMC 2.0 or Version 2.
The CMMC model is an assessment framework and certification program created by the DoD in an effort to enhance its cybersecurity standards and better safeguard private data from malicious attacks on its supply chain. The CMMC’s origins date back as far as 2010 under Executive Order (OE) 13556, which established a uniform program for handling unclassified information (CUI), including dissemination controls and guidelines for protecting private materials in compliance with US federal law.
Building upon OE 13556 and in response increasingly hostile threat environment, new and enhanced cybersecurity guidelines were released in CMMC version 1.0 on January 31, 2020. CMMC 2.0 represents the latest update to the certification platform meant to protect US ingenuity and defense secrets from the uptick in sophisticated cyberattacks.
To remain DoD compliant, current defense contractors must demonstrate, through self-assessments and third-party auditors that they adhere to the newly updated cybersecurity frameworks established in CMMC 2.0. While DoD contractors may have required to demonstrate compliance with NIST 800-171 requirements as early as 2021, another phasic implementation of CMMC 2.0 is projected to begin in May 2023.
Many DoD contractors are starting to require their subcontractors to become CMMC 2.0 compliant for improved security and also with the expectation this condition will be unilaterally enforced at a future point. Given the CMMC program is relatively new and has undergone a few notable changes over a short time, we’ve put together the following guide to help defense contractors achieve and maintain their CMMC standing.
What is CMMC 2.0?
CMMC 2.0 is the latest federal government update to the Cybersecurity Maturity Model Certification program launched in January 2021. This new edition includes updates to the Protection of Federal Contract Information (FCI) and Controlled Unclassified Information or CUI. The latest release notes indicate that the updates were initiated after soliciting feedback from DoD contractors and other federal partners and stakeholders.
Among the primary objectives of the recent CMMC 2.0 is to streamline the certification process and make the compliance standards easier to align with and understand. Any government agency or its hundreds of thousands of private sector partners that transmit and receive CUI is potentially at risk of a cyberattack.
The onerous, therefore, lies on DoD contractors to maintain a strong security posture and reduce or eliminate all vulnerabilities, including those that could be introduced by any subcontractors within their professional networks. CMMC 2.0 is meant to simplify the terms and standards outlined in CMMC 1.0, namely, by reducing the five certification levels down to three while tying each area covered in Level 2 to the codified cybersecurity requirements in NIST 800-171.
Who needs to be CMMC 2.0 compliant
CMMC certification requirements apply to any civilian organization that conducts business with the government on a contractual basis. Generally speaking, CMMC 2.0 compliance requirements cover anyone working within the defense contract supply chain. The DoD estimates that the new standard could impact as many as 300,000 private sector organizations. These entities may include:
- DoD prime contractors
- DoD subcontractors
- Defense Industrial Base (DIB) suppliers
- Small businesses DoD suppliers
- Any commercial supplier handling CUI
- Foreign suppliers
- Outsourced managed IT providers
Does CMMC 2.0 apply to all partners in the DoD supply chain?
The short answer is yes. CMMC compliance is mandatory for any entities working within the DoD supply chain, including those companies dealing with federal contract information, CUI, and other private government data. The latest updates to CMMC ostensibly clarify that the standards will ultimately apply to essentially anyone who has a hand in the DoD supply chain, not just prime contractors. All DoD subcontractors, regardless of their certification tiers, along with suppliers, vendors, and consultants must achieve and maintain CMMC 2.0 compliance before partnering with the DoD.
How does CMMC 2.0 differ from CMMC 1.0?
The first version of CMMC established five maturity levels while CMMC 2.0, to simplify matters, includes only three. Among the key differences between the two certification programs is that the second version no longer incorporates the maturity processes and security practices discoverable in the initial release. The CMMC 2.0 requirements clearly align themselves better with the previously established NIST 800 frameworks.
In 2015, five years before CMMC formally rolled out, the DoD outlined its specific cyber requirements in the Defense Federal Acquisition Regulation Supplement (DFARS) (252.204-7008 and 252.204.7012). The regulation required contractors to adopt cybersecurity as established by the National Institute of Standards and Technology or NIST.
At the time, regulations only required government contractors to represent that they had implemented NIST SP 800-171 standards by the end of 2017. The NIST SP 800-171 framework constitutes a broader US government project to safeguard the DoD supply chain from an increasing onslaught of cyberattacks and other national security risks. Despite the DoD’s best efforts to enforce compliance, the NIST SP 800-17 was evidently less than efficient, with a majority of defense contractors practicing adequate digital security hygiene at best.
The apparent lackluster attention to cybersecurity coupled with the absence of a clear, uniform set of standards needlessly placed controlled unclassified information at risk. The DoD, therefore, introduced CMMC as a more efficient means of ensuring DoD contractors meet and maintain the appropriate cybersecurity levels for the type of work they conduct on behalf of the US government. So, while CMMC 1.0 intended to replace the previous self-declaring with a stricter audit and certification process, the November 2021 launch of CMMC 2.0 is meant to simplify and perhaps even relax the requirements established under the initial program.
CMMC 2.0 allows some contractor organizations to self-report compliance and meet certification without passing a third-party audit. This segment could represent as many as 80,000 DoD contractors. Likewise, the pass/fail audit process was amended to include a Plan of Actions and Milestones (POA&Ms) for organizations that don’t pass their initial audit. This process, however, remains unclear. The number of failed audits and POA&Ms an organization can submit isn’t specified. The severity levels based on findings aren’t evident, either.
In January 2022, the DoD announced that it was shifting CMMC governance and oversight to its Office of the Chief Information Officer. Shortly after the announcement took place, the DoD introduced articles that proscribed self-reporting at Levels 2 and 3, reinstating the requirement for a third-party audit for companies falling into either of the two categories.
The general idea was that all materials categorized outside of Federal Contract Information (FCI) should be considered CUI and that all contractors working within the DoD supply chain must necessarily access CUI to perform their duties. Federal regulators subsequently determined that it should require independent third-party audits for Level 2 and 3 contractors within the CMMC 2.0 model.
Some DoD contractors may have viewed this as a step in reverse, as they were under the impression that many could return to self-reporting. This announcement also rendered the intent behind CMMC 2.0 confusing since the auditing requirements again seem to reflect those of CMMC 1.0. Another issue arises in that access to qualified third-party auditors may be limited.
Likewise, many have questions about how long these external audits will take, especially considering businesses may have to be reassessed for any failed practices. There are also several risks associated with relying too heavily on POA&Ms to get through the auditing process. Contract awards could be delayed or denied entirely, resulting in resource and funding constraints for active DoD supply chain partners who never had to deal with these audits in the past.
What are the three levels of CMMC 2.0?
The CMMC framework 2.0, released in November 2021, reduced the certification levels down to three from five, defining its cybersecurity standards and practices by specific domains. Each domain is divided into the required standard controls, which are then mapped to specific capability groups.
We’ll get to more about domains in the following section. But these categories specify contractor achievements and targets to ensure the cybersecurity objectives are clear and uniformly applied within each CMMC domain.
Defense contractors must demonstrate compliance with the established capabilities to achieve and maintain their CMMC classification. The framework represents a measure of the contractor’s technical ability to remain compliant within a specified capability requirement. The assessment functions as follows:
- Domains – identifies DoD contractor cybersecurity capabilities
- Capabilities – establishes achievements to ensure cybersecurity within each domain
- Practices and processes – conditions the actives necessary to achieve a capability within a specified level
The CMMC 2.0 model defines three distinct certification levels, with each level aligning itself to a set of standards and practices covering everything from basic digital hygiene to advanced cybersecurity capabilities. Before an organization can be awarded, a specific certification level, DoD contractors must satisfy the standards and processes that correspond to the specified CMMC level, which are defined as follows:
CMMC 2.0 Level 1: Foundational
Any contractor that handles Federal Contract Information (FCI) must, at the very minimum, meet certification Level 1, which is considered to be foundational. To meet this certification, DoD contractors must demonstrate and maintain a basic adherence to the 17 digital hygiene standards outlined in the controls under Federal Acquisition Regulation (FAR) 52.204.21. The details of these same practices are further defined under NIST 800-171.
The Federal Government doesn’t regard FCI as protected information. The DoD, therefore, allows Level 1 contractors to self-assess their cybersecurity by annually submitting exam results and other documented verification to the Supplier Performance Risk System (SPRS). At this time, third-party assessments are not required to achieve Level 1 certification.
CMMC 2.0 Level 2: Advanced
Contractors dealing with controlled unclassified information or CUI must attain a Level 2 certification. They have to align with 17 practices established in Level 1, in addition to 93 more that are elaborated in NIST 800-171 to satisfy the requirements for CMMC Level 2. Like Level 1, the DoD allows some contractors to self-report their assessments annually and submit any necessary documentation.
However, contracts carry different amounts of risk. For what the DoD calls “prioritized acquisitions,” contractors who fall into this category must submit to triennial audits by a CMMC Third Party Assessment Organization (C3PAO) to achieve and maintain their certifications. The DoD works with The Cyber Accreditation Body to facilitate certifications within its ecosystem, and, currently, no other private partners are handling CMMC oversight on behalf of the DoD.
The Cyber Accreditation Body (AB) is responsible for implementing the CMMC conformance regime. The AB can also provide expert consultation for contractors just now starting the CMMC Level 2 assessment process. In general, only a small minority are exempt from C3PAO at Level 2. Most contractors should expect to submit a third-party assessment to achieve and maintain a Level 2 certification.
CMMC 2.0 Level 3: Expert
Certification Level 3: Contractors who manage highly sensitive CUI need a Level 3 certification. Achieving this expert-level certification requires DoD contractors to align themselves with the 110 NIST 800-171 controls established in Level 1 and Level 2, in addition to several more controls that have yet to be finalized in NIST Special Publication 800-171.
Unlike the first and second certification levels, Level 3 doesn’t allow contractors to self-assess and self-attest. Instead, companies handling the most sensitive CUI must submit to a government-led assessment once every three years to be certified at this level. Expect more forthcoming information on Level 3 in the near term to be specified in NIST SP 800-172.
What are the 17 core security domains of CMMC 2.0
While, in a broad sense, the three certification levels described are relatively straightforward, the 17 Core Security Domains of CMMC 2.0 demand closer attention. These are the initial security practices, and processes businesses must adhere to before handling CUI under the second and third advanced and expert certification levels. The DoD regards the domains critical to safeguarding CUI, while they represent the foundation for all three CMMC certification levels. Now, let’s take a look at each of the 17 domains in more detail:
1. Access Control (AC)
Access control details a cybersecurity practice that limits CUI access on a need-to-know basis. This principle ensures that only authorized and authenticated parties are exposed to CUI, using several unique strategies to identify the approved users. In addition, access control must track, monitor, and log all user access to CUI.
2. Access Management (AM)
The Access Management domain addresses the required practices and standards for documenting and monitoring the lifecycle of information system assets. Also known as IT lifecycle management, this domain deals with the process of overseeing an information system asset from its acquisition to its disposal.
The DoD implements these practices to prevent unauthorized access to CUI and prevent cyberattacks that target sensitive, confidential information. Access Management is vital to incidence response planning because, after implementing the appropriate security controls, it protects information system assets from unauthorized modification, destruction, disposal, and theft.
3. Audit and Accountability (AA)
Audit and Accountability focus on user tracking and verification. Any processes or other entities that involve CUI, such as logging into a system or making alterations to data must be monitored and tracked. To satisfy this domain, contractors must conduct periodic reviews of CUI to ensure integrity. The primary objective of Audit and Accountability is to provide a method for CUI to be properly maintained and a means of both preventing and investigating unauthorized access and use of CUI.
4. Awareness and Training (AT)
Security awareness training requirements are covered in the Awareness and Training domain. DoD contractors must display an adequate security awareness initiative that touches on cybersecurity basics. Organizations should be able to evidence a reliable training program for identifying security threats, safeguarding sensitive CUI, data disposal protocols, and how to respond to a security breach.
5. Configuration Management (CM)
Configuration management establishes practices for maintaining the information system integrity, including documenting this process through the lifecycle of the system itself. The domain calls for a baseline configuration of the information system, including an inventory of its components and a list of any changes made to the baseline configuration to ensure accuracy and integrity. CM outlines the criteria for protecting and ensuring the availability of CUI and any related data system elements.
6. Identification and Authentication (IA)
The required security practices that involve process and individual identity verification are elaborated in this domain. Identification and Authentication established the criteria for ensuring only authorized users have access to CUI. It also informs contractors of the proper practices and protocols for password and biometric use, including any tokens to authenticate and identify the appropriate parties and their devices. Ensuring that only approved users can access the information they need is deemed essential to protecting CUI by the DoD.
7. Incident Response (IR)
The Incidents Response domain provides the metric for responding to breaches and other security incidents. Detecting and reacting to cybersecurity incidents and other threats necessitates an approved action and containment plan. Businesses must also display competency in implementing a reliable data recovery process to restore normal operations, investigate the source of the incident, and take the appropriate steps to prevent a future breach.
8. Maintenance (MA)
Maintaining operational data systems and all their components is essential for managing and safeguarding CUI. The Maintenance domain sets the parameters for maintaining information systems through administrative, corrective, and preventative maintenance. The purpose of the domain is to ensure that system components and software remain up to date and that the DoD contractor follows established procedures to protect sensitive CUI.
9. Media Protection (MP)
The Media Protection domain addresses removable media such as CD-ROMs, USB flash drives, portable hard drives, and other external storage media. This domain defines how organizations should safeguard removable media from threats and properly dispose of it. Media protection also provides a framework for encrypting CUI on portable media and how to enforce access control policies for removable media and the associated devices housing it.
10. Personnel Security (PS)
The security posture of staff and personnel who access CUI is outlined and defined in the Personal Security domain. Contractors and subcontractors inside and outside the organization who access and process CUI must demonstrate adequate knowledge of the policies regulating access, modification, and destruction of classified controlled information. All contractors must be proficient at implementing any and all policies to protect CUI and pass the required background checks while displaying the appropriate security-related qualifications.
11. Physical Protection (PE)
Physical Protection provides guidance on the security practices pertinent to physical data resources like computers, hardware, networks, and other devices. This domain established the protocols and security for protecting unauthorized access, modification, and theft of the physical infrastructure necessary for managing CUI. The domain promotes security readiness by checking for locks, guards, barriers, authentication devices, and firewalls.
12. Recovery (RE)
DoD contractors must be prepared to restore their data systems and components after a critical breach or cyberattack. Recovery enumerates the practices for restoring information systems and the digital environments used to manage and store CUI. The standards underscore the importance of investigating the security incident and mitigating its impacts while preventing similar future occurrences.
13. Risk Management (RM)
This domain establishes practices and standards for identifying, evaluating, and mitigating security threats to reduce the organization’s susceptibility to breaches and cyberattacks. These protocols involve an assessment of risks to any assets and systems used to distribute and handle CUI. They establish guidelines for implementing the necessary protection measures and controls for securing sensitive government data.
14. Security Assessment (CA)
The Security Assessment domain provides the processes for identifying the appropriate security requirements and determining which security controls to implement. The practices provide a framework for identifying potential security risks and cyber threats and entail routine vulnerability and risk assessments. The security assessment includes guidelines and policies for developing the best reliable security practices and self-monitoring compliance.
15. Situational Awareness (SA)
Situation Awareness focuses on the ability to detect threats and security vulnerabilities within the contractor’s organization. Companies who partner with the DoD should be adept at observing any changes in the environment that could contribute to a breach and respond accordingly. Situational awareness is a critical factor in maintaining a healthy security posture while identifying potential threats before they escalate into a breach is vital to safeguarding sensitive CUI.
16. System and Communication Protection (SC)
This security practice is aimed at DoD contractor communication systems and methods. The System and Communication Protection domain seeks to prevent unauthorized access, destruction, or theft of these systems through the implementation of critical security controls such as firewalls, encryption, and authentication services.
17. System and Information Integrity (SI)
The CMMC 2.0 model is designed to ensure the accuracy and reliability of DoD contractor data systems. System integrity plays a significant role in preventing threats, which is why conducting periodic reviews to detect anomalies is important. The System and Information Integrity domain gives contractors a set of standards for reviewing their systems to verify they’re secure and unaltered.
Getting CMMC certified
Preparing your organization for CMMC certification depends on your current IT staff and resources and the certification level you’re seeking. While some companies opt to prepare for CMMC certification in-house, others rely on the consultation of trusted cybersecurity outsourcers like PCH Technologies.
NIST provides guides such as its Self-Assessment Handbook that can help business assess their security requirements and determine whether or not they align with the practices and standards outlined in NIST SP 800-171. The handbook can inform DoD supply chain contractors where they stand with respect to compliance with the DFARS clause 252.204-7012. Many contractors, however, will need to draw from additional expert resources if they expect to pass their third-party CMMC audit on the first attempt.
The risks associated with failing the CMMC 2.0 exam on the first try are significant. Due to an ostensible lack of third-party auditors, contractors could face substantial losses to their time and finances if they don’t pass the audit at the first go. They’ll like incur additional costs amending their vulnerabilities and, due to backlogs, could find themselves waiting indeterminably for the next auditing session. Such delays may prove costly for contractors who anticipated a DoD contract at the time of forecasting their annual budgets.
Should I consider outsourcing CMMC?
Outsourcing CMMC requirements can benefit contractors who lack the skills and resources to adequately prepare and fulfill the complex and sometimes confusing demands elaborated in NIST SP 800-171 Rev. 2 and SP 800-172. In fact, the requirements of SP 800-172 are still to be determined, which could leave contractors exposed to an audit failure if they can’t pivot quickly and adjust before the third-party examination.
For smaller organizations, partnering with a Managed Security Services Provider (MSSP) like PCH technologies can be an efficient path to getting up to speed and ensuring they can complete their compliance initiative and fulfill the CMMC 2.0 cybersecurity requirements at the first run. A qualified MSSP will have already prepared for the auditing process and be familiar enough with its templates to create a robust overall security plan that ensures you’re awarded the DoD contract in a timely manner.
If a contractor fails an audit and finds itself in remediation, experienced MSSPs have the resources and specialized knowledge to help you fulfill the remedial activities necessary to reestablish your unencumbered certification status. Likewise, third-party outsources also possess modern cybersecurity software and other tools to enhance your security posture through 24/7/365 monitoring, including advanced prevention and mitigation strategies customized for your unique business.
Under many circumstances, outsourcing CMMC requirements help contractors save time and conserve valuable resources. Upon interviewing any prospective MSSP, ask if the service provider is a Cybersecurity Maturity Model Certification Registered Provider Organization (CMMC RPO). CMMC RPO security service suppliers have a thorough understanding of all the CMMC practices and standards and can help your organization meet the requirements for the certification level you’re seeking.
Once the DoD contract is awarded and your business is CMMC compliant, you’ll still need to continue monitoring your systems and hunting for potential threats while reporting any cybersecurity incidents to the government through its own systems. In most cases, this process requires access to specialized tools and expertise that can be cost-prohibitive to maintain, especially for smaller organizations operating on a thin budget.
Contractors who fall into this category frequently opt to outsource all their cybersecurity requirements to an MSSP that specializes in meeting and sustaining Cybersecurity Maturity Model Certification requirements. The outsourcer will work with you to develop a living document called z System Security Plan (SSP) that can be updated pursuant to any new changes instigated by the DoD. These plans will highlight personnel responsibilities, define company policies, and assign administration tasks.
To ensure you always meet For NIST 800-171 and CUI requirements, the SSP will document the specific details of your digital environment and any system that houses or transmits protected CUI. The plan will show how the passes between the systems, highlighting your authentication and authorization processes to ensure that you never fall out of CMMC compliance.
What’s next for DoD contractors?
Irrespective of whether you outsource CMMC needs or handle them in-house, it’s paramount that DoD contractors start preparing their organizations to meet the necessary audit requirements now. All higher Priority Level 2 contracts will require certification by third-party assessment organizations, and the CMMC certification process will apply to all DoD contracts by 2026.
Interested in learning more about how to cut CMMC preparation and remediation expenses? PCH Technologies is an MSSP supplier that provides comprehensive assessments for DoD contractors subject to passing an upcoming CMMC audit. For more details, schedule your free discovery call online or call us at (856) 754-7500 now.