“Cybersecurity is foundational. It can not be traded off for cost, schedule or performance”
Katie Arrington the “Mother of CMMC”
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the new standard for awarding Department of Defense (DoD) contracts. This new standard was put in place after a 2017 audit revealed that barely 60% of Department of Defense (DoD) contractors were compliant with DFARS clause 252.204-7012. In fact, the title of the audit report was, “Alarming Industry Trends Reported in DFARS Cybersecurity Compliance.”
As a stopgap measure, the DoD published an interim rule in September 2020 that required Defense Industrial Base (DIB) contractors to become CMMC compliant. This rule outlined the basic features of the framework, and became effective on November 30th, 2020 establishing a five-year phase-in period for all DoD contractors, with every contract requiring some level of CMMC by 2025. These requirements became known as “CMMC 1.0.”
CMMC 1.0 required all companies to undergo an external audit by a CMMC Third-Party Assessor Organization (C3PAO). This version had a 5-layer model with a differing number of controls at each level. Similar to version 2.0, the levels were dependent upon what kind of Controlled Unclassified Information (CUI) they came in contact with.
Here is a quick breakdown of the 5 levels from CMMC 1.0:
17 Practices/ Controls (All from NIST 800-171)
72 Practices/ Controls (65 controls from NIST 800-171)
130 Practices/ Controls (110 from NIST 800-171)
156 Practices/ Controls (110 from NIST 800-171)
171 Practices/ Controls (110 from NIST 800-171)
On November 4th, 2021, the DoD released CMMC v2.0 because of an internal review of CMMC 1.0’s implementation that exposed some shortcomings. The review was informed by more than 850 public comments in response to version 1.0. There is a lot of controversy among stakeholders regarding these changes, as some believe these revisions remove the teeth of the regulations and relax requirements too much, while others applaud the DoD for helping small businesses with the cost of compliance.
Here is a breakdown of the new levels:
Organizations seeking Level 1 compliance must perform 17 “Basic Cyber Hygiene” practices, which are the same controls as version 1.0. The types of companies that will need Level 1 certification are small companies who do not come in contact with Controlled Unclassified Information (CUI), but do have to safeguard Federal Contract Information (FCI).
In fact, the practices in Level 1 are focused on safeguarding FCI, and are things that organizations should be doing anyway, like having complex passwords or locking your doors when you leave the room, to name a few examples.
Following the changes in CMMC v2.0, organizations at this level will no longer be required to pass a third-party audit. Instead, organizations will be allowed to submit an annual self assessment that must be signed off by a high level executive to attest their organization is compliant.
CMMC Level 2, Advanced, replaces the 130 controls found in CMMC v1.0 level 3, with the 110 controls found in NIST 800-171. A majority of companies at this level will most likely be required to pass an external audit. However, a subset of companies will be allowed to perform self-assessments and have a Plan of Action & Milestones (POA&M) in place to address any gaps. They can also apply for a waiver if necessary, and more information will become available as they continue the rulemaking process.
This level is still in development, but it is most closely related to Level 5 in version 1.0. This level will encompass all 110 controls seen in NIST 800-171, as well as additional controls from 800-53 that will be announced at a later date. No companies at this level will be allowed to self-assess, instead they will be required to have an external audit conducted every 3 years by the DoD, not a C3PAO.
Unlike version 1.0, the DoD is allowing all companies at Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments.
Although there will undoubtedly be more changes as the DoD further refines CMMC, one thing is certain to remain constant, NIST 800-171 compliance. The majority of companies are going to fall into Level 2 or 3 of v2.0 and therefore will be required to be validated by external audit by a C3PAO or the DoD. Not to mention that NIST 800-171 compliance is already currently mandated in all DoD contracts by DFARS 7012.
The CMMC is in essence an extension of DFARS 7012, that adds an external audit requirement for most companies, and additional controls for certain companies that handle critical CUI.
What is DFARS?
DFARS were created in December of 2015 by the DoD to require all contractors to maintain the cybersecurity standards of NIST SP 800-171. These standards were made in order to protect CUI, and gave all contractors until December 31st, 2017 to meet the requirements. There are four main DFARS clauses, DFARS 252.204-7012, 7019, 7020, and 7021.
Both DFARS and CMMC require companies to be NIST 800-171 compliant, but CMMC adds some additional controls to a small percentage of companies handling critical CUI. While DFARS allows all companies to self-attest their compliance, CMMC will require a majority of companies to be audited by a third party, either a C3PAO or the DoD itself.
Both current versions of the standards allow companies to have a POA&M in place to address any gaps in their compliance, which is a reversal from v1.0 which required certification at the time of contract award. With the new standards, companies will have approximately 180 days to shore up their security.
The Clock is Ticking
Our CMMC consulting services and managed services are the best way to ensure you and your entire supply chain’s cyber security is prepared for CMMC assessments. Contact us today to ensure CMMC compliance.