Department of Defense Unveils CMMC 2.0, Opening a Five-Year Implementation Window

Organizations encouraged to complete cybersecurity readiness assessments and implement NIST 800-171 best practices in preparation

Late last year, the U.S. Department of Defense (DoD) announced some important updates to its existing Cybersecurity Maturity Model Certification (CMMC), a set of security standards that help organizations protect controlled classified information (CUI) and federal contract information (FCI). These changes are applicable to all DoD contractors and subcontractors and replace CMMC 1.02, which was released in March 2020.

The changes were made to help reduce burdens on organizations in DoD’s Defense Industrial Base (DIB). According to DoD, CMMC 2.0 will also help set priorities for DoD data protection and reinforce cooperation between DoD and other industries addressing cyber threats.

Here’s a quick look at some of the key changes in CMMC 2.0:

1. Reduces the number of security levels in CMMC 1.0 from five to three, which are consolidated in 2.0.
2. Enables self-assessments, which were not available in 1.0.
3. Organizations will now need to submit a Plan of Actions and Milestones (POA&M) for any CMMC processes or practices not implemented

Before we take a deeper dive into CMMC v 2.0, let’s take a step back at the history and evolution of CMMC.

First, what is CMMC?

CMMC is the Cybersecurity Maturity Model Certification. It’s a set of security standards from DoD for CUI and FCI. CMMC is applicable to all contractors and subcontracting wanting to bid on new DoD contracts or renew existing contracts.

These contractors and subcontractors have long had standards for DoD contracts. For example, since 2018, they were required to meet NIST 800-171 standards; however, there was some ambiguity on what meeting those standards actually meant and how DoD could measure accountability.

What is CUI? CUI is an abbreviation for controlled unclassified information, which includes protected but unclassified information that needs additional safeguarding, security, and dissemination controls. Examples might include personally identifiable information (PII) or proprietary business information (PBI).

What is FCI? FCI is federal contract information. FCI can include a range of information, for example, emails between DoD and contractors, policies and subcontracts, and other information shared through various communication channels.

In January 2020, the government DoD release CMMC v 1.0 to create a common framework to make implementation and accountability less difficult. It was included in the Defense Federal Acquisition Regulation Supplement (DFARS) as a part of contract awarding processes.

To become CMMC certified, contractors and subcontractors were expected to successfully complete an accredited third-party assessment or get an independent assessment from an accredited assessor for the minimum CMMC certification level needed for a DoD contract.

CMMC certifications are valid for three years. For contractors that work with subcontractors on these DoD contracts, those subcontractors must also be certified at the required level.

A DoD contractor or subcontract going through a CMMC assessment certification process is generally referred to as an Organization Seeking Certification (OSC). If an organization doesn’t access CUI but accesses FCI, it should also be CMMC-certified.

Any organization not certified at the required CMMC level outlined in all requests for information (RFIs) and requests for proposals (RFPs) when DoD awards a contract can be disqualified from participating in that contract.

While DoD issues CMMC guidelines, the CMMC Accreditation Body (CMMC-AB ) oversees certified CMMC assessors for certifications. Its primary function is to ensure these assessors conduct assessments for CMMC certification drawing on a defined set of CMMC best practices. Within CMMC-AB there are accreditation processes for:

• Registered Practitioners (RPs): Helps DoD contractors by conducting readiness assessments and helping them prepare for the certification process. They do not conduct CMMC certification assessments.
• Registered Provider Organizations (RPOs): Represents itself as familiar with CMMC basic constructs and offers non-certified CMMC consulting services to help DoD contractors with readiness assessments and to prepare for certification.
• Certified Assessors (CAs): Has the background, training, and examination requirements defined by CMMC-AB and has a certification.
• Certified Third-Party Assessment Organizations (C3PAOs): Certified to conduct CMMC certification assessments for contractors and provide consultations.

Costs related to CMMC preparation, framework implementation, assessments, and certification vary and are generally relative to the CMMC certification level. For example, the higher level you’re hoping to achieve, the likelihood the costs will increase as well.

CMMC v1.0

CMMC 1.0 drew on standards from NIST 800-171, as well as NIST 800-53, ISO 27031, and ISO 27032. It covered 17 total domains and had five certification levels: Perform, which was considered basic cyber hygiene; Document, intermediate cyber hygiene; Manage, good cyber hygiene; Review, proactive; and Optimize, considered advanced/progressive.

Each of these certification levels had a range of practices. For example, level 1 had 17 practices. For CMMC v 1.0 organizations were encouraged to conduct a self-assessment before having a formal CMMC assessment, but could not self-assess for certification. That changes in version 2.0.

CMMC v 2.0

DoD says the latest version of CMMC should cut red tape for small and medium-sized businesses (SMBs) and help set priorities for protecting DoD information. It will help DoD and DIB organizations better respond to evolving threats while continuing to safeguard CUI and FCI. This version maintains a tiered or layered implementation model that helps organizations gradually mature their practices depending on the type of government data accessed and its sensitivity level.

The move from CMMC 1.0 to 2.0 came in late 2020 after DoD issued an interim rule to the Assessing Contractor Implementation of Cybersecurity Requirements, DFARS Case 2019-D041. That rule outlined the future of CMMC and became effective the following month. When it went into effect, the rule opened a window for a five-year phase-in timeline.

The following March, in 2021, DoD conducted its internal CMMC review, evaluating implementation, which also included more than 850 public comments it received about the interim rule. That review, coupled with the feedback, helped redefine CMMC policy and implementation.

In November 2021, DoD indicated the new version would help meet goals established during that initial review including:

• Safeguard sensitive information to enable and protect the warfighter
• Dynamically enhance DIB cybersecurity to meet evolving threats
• Ensure accountability while minimizing barriers to compliance with DoD requirements
• Contribute toward instilling a collaborative culture of cybersecurity and cyber resilience
• Maintain public trust through high professional and ethical standards

Here’s a closer look at the three big changes in version 2.0:

Streamlined Model

As we mentioned earlier, CMMC 1.0 included five certification levels. This version streamlines requirements, focusing on the most critical and reduces the number of levels to three. These levels align with the National Institute of Standards and Technology (NIST) cybersecurity standards.

The new levels are:

• Level 1: Foundational:  There are 17 practices that enables an annual self-assessment for certification. This is for organizations with FCI only.

• Level 2: Advanced:  There are 110 practices, which align with NIST SP 800-171. Triennial third-party assessments are required for prioritized acquisitions; however, self-assessments may be applicable for certain programs, such as non-prioritized acquisitions. This is for organizations with CUI.
• Level 3: Expert:  There are 110 practices at this level based on NIST SP 800-172. There are also triennial assessments for this level, but they are government-led assessments. This is for the highest priority programs with CUI.

When compared to CMMC v 1.0, the major model changes we see are:

• Levels 2 and 4 from v1.0 were removed. (Level 1 remains the same.)
• The new level 2 is similar to v1.0’s level 3.
• The new level 3 is similar to v1.0’s level 5.
• Prioritized acquisitions involving CUI require independent third-party assessment.
• Non-prioritized acquisitions involving CUI require annual self-assessment and annual company affirmation.

This new model eliminates all maturity processes and also eliminates all CMMC unique security practices. Instead, organizations are encouraged to work with NIST to address gaps identified through NIST.

According to the Office of the Under Secretary of Defense, the CMMC 2.0 model for Levels 1 and 2, their assessment guides, and scoping guidance will soon be published for informational purposes. Level 3 information will follow when it’s available.

Reliable Assessments

CMMC 2.0 should create reduce assessment costs for organizations because all organizations at level 1 and some at level 1 can now demonstrate compliance with a self-assessment. The goal is to also increase oversight of professional and ethical standards of third-party assessments.

Flexible Implementation

CMMC 2.0 also allows, under certain circumstances, companies to make Plans of Action & Milestones (POA&Ms) to achieve certification. These POA&Ms will be strictly time-bound, possibly for 180 days; however, they will not be allowed for the highest-weighted requirements. There will be a minimum score to support POA&M certification.

There will also be waivers for CMMC requirements under limited circumstances. For example, they will only be allowed in certain mission-critical incidents. They will also be strictly time-bound on a case-by-case basis and will require senior DoD approval.

There is a five-year phase-in period and CMMC level information will not be included in DoD contracts as CMMC 2.0 gets codified through rulemaking processes. DoD will complete all required mandatory rulemaking obligations, including 32 CFR to establish the CMMC program, and 48 CFR to update contractual requirements in the DFARS for program implementation. This process could take anywhere between nine months up to two years and will include a 60-day public comment period and concurrent congressional review.

During this time, DoD will suspend its CMMC piloting program, as well as the mandatory CMMC certification requirement. DoD is considering some incentives for organizations that voluntarily get a CMMC certification at level 2 in the interim. It’s encouraging all organizations to move forward with making cybersecurity program enhancements and even established Project Spectrum to help organizations assess their cyber readiness and improve cybersecurity practices.

Have additional questions about CMMC 2.0? Check out this FAQ from DoD: https://www.acq.osd.mil/cmmc/faq.html.

Preparing Now

While there is still some time before all of the specifics of CMMC 2.0 are finalized, if your organization is anticipating renewing a DoD contract or hopes to garner a new contract in the future, now is a good time to take a closer look at your existing cybersecurity practices.

If you don’t already have a cybersecurity program in the works for your organization, the NIST Cybersecurity Framework is a great starting point. It’s free and best of all it can be tailored to meet your organization’s needs as they are today and as you evolve in the future.

If you already have a cybersecurity program for your organization, you can use this window to conduct a cybersecurity assessment and make plans to work through any known weaknesses or security gaps. DoD encourages organizations to draw on NIST 800-171 and for more mature programs NIST 800-172, since both of these will play influencing roles in the finalized version of CMMC 2.0

DoD offers five simple steps to help improve your security posture, including:

1. Educate people on cyber threats, including sharing information about why it’s important to have strong passwords, what malicious links look like and what they can do, and why it’s important to install security patches and updates.
2. Implement access controls
3. Authenticate users
4. Monitor your physical space
5. Update security protections

For additional support, visit Project Spectrum. The site is loaded with articles and tools to help your organization prepare for CMMC 2.0, including a Cyber Readiness Checklist, online courses, and training videos.

CMMC and NIST Resources

While mandatory CMMC certifications are on hold during this rulemaking process, organizations that want to voluntarily move forward with certification can do so. Not sure where to start? Apptega has a compliance guide aligned to CMMC 1.0 that’s a great resource.

While it will not be the same as CMMC 2.0, it’s a solid reference for understanding CMMC goals and objectives. Because it has a layered approach to cybersecurity implementation, it’s also helpful for all organizations, regardless of your current security posture. It can even give you insight into ways you can start to improve your cyber practices in the interim. Download the guide here: https://www.apptega.com/frameworks/cmmc-certification.

Since CMMC 2.0 is expected to be less complicated, if you don’t want to get bogged down in CMMC 1.0 details, you can also check out some of Apptega’s resources for NIST 800-171. NIST 800-171 is a set of guidelines for non-federal organizations that work with federal agencies and features controls to protect and secure CUI. Any non-federal organization that works with a federal agency and processes, stores, or transmits CUI should comply with the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171 standards.

On our NIST 800-171 fundamentals page, we take a throughout look into what NIST is, what it’s designed to do, its controls and benefits. There is also a lot of helpful information about steps your organization can take to become NIST 800-171 compliant, as well as how to conduct a NIST 800-171 self-assessment.

Here are some other NIST related resources you may find helpful:

• Blog: Choose the Right Framework to Better Navigate the Convergence of Data Privacy and Cybersecurity
• Blog: Which Cybersecurity Framework is Right for You?
• Webinar: NIST SP 800-171 and CMMC: Minimize Your Risk of Losing Business Opportunities
• NIST 800-171 Compliance Guide

And, if you haven’t already checked out the CyberXchange marketplace, now is the time to do so. CyberXchange is a unique resource that can connect your organization to hardware, software, and services that are specific to your needs. They’re even mapped to the controls and sub-controls of your cybersecurity and privacy frameworks. Here’s a quick link to CMMC resources and NIST support.

Partnering with Apptega for CMMC Compliance

While changes are coming for CMMC compliance, Apptega can help you if you’re ready to go ahead with a voluntary CMMC certification or you just want to mature your cybersecurity posture.

Unlike using spreadsheets or static word processing documents to manage CMMC compliance, Apptega provides a single solution where you can get insight into all of your existing controls and frameworks, not just for CMMC and NIST, but across your cybersecurity, risk management, privacy, and compliance programs. You can even cross-walk all of your frameworks with control mapping and build customized frameworks for your organization.

The platform also has a growing library of frameworks you can use, questionnaire-based assessments, one-click reports, and real-time compliance scoring so you always know how you’re doing.

Need more information? Check out this video demo to learn how Apptega can help you simplify CMMC assessments. We also have a demo for NIST 800-171 compliance.