CMMC Compliance 2.0 Guide: Controls, Levels, Requirements & Assessment

With the Pentagon’s recent overhaul of the Cybersecurity Maturity Model Certification (CMMC) framework, there are some big changes defense contractors need to know about.

If you're in the business of selling or providing services/products to the U.S. Department of Defense (DoD), then you need to know about CMMC 2.0.

It's new, it can appear complicated, and it's going to affect how you do business with the DoD in the future.

But don't worry – we're here to help make sense of all this bureaucratic mumbo-jumbo.

CMMC 2.0, announced on 11/4/2021, includes updates to streamline the tiered model of certification levels, assessment procedures, and a little more clarity on what Organizations Seeking Certification (OSC) can do to prepare and succeed under CMMC.

In this guide, we'll cover all the details of CMMC 2.0, including what’s changed and what it means to DoD contractors and companies in the Defense Industrial Base (DIB).

This CMMC compliance guide discusses the updated controls and levels, compliance requirements, the assessment process, and how you can work to ensure compliance.

Want to learn more about the CMMC 2.0 model? 

Cuick tracTM has helped hundreds of DoD service providers, manufacturers, and contractors understand cybersecurity practices for CMMC, including how National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, 7019, 7020, and 7021 can impact their business and how they can prepare. 

Get the facts about CMMC 2.0, speak with a NIST expert at cuick trac™ today
Contact Us

What is CMMC 2.0?

The CMMC framework increases the cybersecurity posture of organizations in the DIB.

It’s designed to validate the protection of controlled unclassified information (CUI) that the DoD shares with its contractors and subcontractors.

The CMMC framework incorporates a set of cybersecurity requirements into contracts and assures the DoD that contractors and subcontractors are meeting these requirements.

The CMMC framework has three key features, including a tiered model, assessments, and implementation through contracts. 

Tiered model

The tiered model requires companies entrusted with national security information to implement cybersecurity standards at progressively higher levels, based on the type of information and its sensitivity. This model also establishes the processes for disseminating this information to subcontractors.

Assessments

CMMC assessments allow the DoD to verify that the contractor has implemented the required cybersecurity standards.

Implementation

Some DoD contractors that handle CUI will also need to achieve a specified CMMC level as a condition of receiving the contract once CMMC is fully implemented.

The evolution of CMMC 2.0

The DoD published an interim rule to DFARS in September 2020. This rule is part of the Federal Register, formally known as DFARS Case 2019-D041, which implemented CMMC 1.0. 

It outlined the basic features of the CMMC framework, including the tiered model, required assessments, and implementation through contracts. The interim rule went into effect on November 30, 2020, beginning a five-year phase-in period for CMMC.

The DoD initiated a review of CMMC’s implementation in March 2021, based in part on more than 850 public comments about the interim DFARS rule. This assessment also included consultations with acquisition and security leaders within DoD, resulting in further refinement of the CMMC implementation.

The DoD announced the release of CMMC 2.0 in November 2021, which updated CMMC’s structure and requirements to achieve the program’s goals more easily. 

These goals include protecting CUI that supports warfighters and improving security dynamically to meet evolving threats. CMMC 2.0 also ensures accountability and facilitates compliance with DoD requirements. 

Additional goals of CMMC 2.0 include creating a collaborative culture of security and maintaining public trust by adhering to high-security standards.

Who has to meet CMMC compliance requirements?

The Office of the Under Secretary of Defense (OUSD) Acquisition & Sustainment (A&S) Department has published materials describing its strategy for the CMMC program.

However, CMMC 2.0 won’t be contractually required until the Department develops the rulemaking process needed to implement it, which could take up to two years. 

The responsibility of CMMC has also shifted from OUSD A&S to DoD’s Chief Information Officer (CIO).

Once CMMC 2.0 becomes a contractual requirement, the DoD will specify the required CMMC level in the solicitation and in Requests for Information (RFIs), if any. 

At this point, organizations that fail to show their compliance with NIST SP 800-171 will face a number of penalties, including the loss of contract, loss of opportunity to receive new contracts, and fines.

Virtually all civilian organizations that do business with the government must comply with CMMC 2.0, including:

  • DoD prime contractors
  • DoD subcontractors
  • Suppliers at all tiers in the DIB
  • DoD small businesses suppliers
  • Commercial suppliers that process, handle or store CUI
  • Foreign suppliers
  • Team members of DoD contractors that handle CUI such as IT Managed Service Providers

The same CMMC level will apply to both contractors and subcontractors, provided they handle the same type of CUI and Federal Contract Information (FCI).

However, a lower CMMC level may apply to the sub in cases where the prime only sends selected information.

Changes to safeguarding sensitive national security information with CMMC 2.0

CMMC 2.0 maintains the program’s original goal of protecting sensitive information while simplifying the standards and providing additional clarity on contracting policy and requirements. 

It focuses on establishing the highest standards for security and third-party assessments needed to support this program. CMMC 2.0 also increases DOD CIO’s oversight of professional and ethical standards for conducting assessments. 

In addition, all contractors were required to undergo a third-party assessment under CMMC 1.0. This restriction has been relaxed under CMMC 2.0 so that contractors who don’t handle sensitive data only need to conduct a self-assessment.

Full details on how this will be implemented, have not be formally released.

The CMMC 2.0 framework simplifies compliance with DoD security standards by implementing a new tier system based on the sensitivity of the information. 

It establishes context-dependent rules on data protection for over 300,000 independent contractors that make up the DIB.

Get the facts about CMMC 2.0, speak with a NIST expert at cuick trac™ today
Contact Us

The 8 biggest changes from CMMC 1.02 to CMMC 2.0

From the surface, it appears there were a lot of drastic changes from CMMC 1.02 to CMMC 2.0. However, when you look at what is required today vs what will be required in the future, things didn’t really change that much.

NIST SP 800-171 is, and always has been, the backbone and associated focus of protecting the confidentiality of CUI. Under NIST 800-171, contractors are required to show policy and procedure documentation, to support their implementation.

CMMC was originally developed to verify that the accountability of defense contractors was taking place, versus a self-assessing trust model that wasn't working.
CMMC 2.0 will consist of three (3) levels, versus the five (5) levels of CMMC 1.02.

Levels 2 and 4 are no longer part of the model. Level 1, titled, “foundational” will consist of the basic safeguarding controls of FAR 52.204-21. From a security controls standpoint, nothing changed there.

Once CMMC 2.0 is in place (more on that below), those required to be CMMC Level 1 will be allowed to self-assess their cybersecurity posture (annually), with leadership sign-off, and enter their score into the Supplier Performance Risk System (SPRS).

CMMC 2.0 eliminates all maturity processes.

Practices are (again) the focus that needs to be put in place, based on the data that an organization handles (CUI vs non-CUI).

CMMC Level 2, titled “Advanced”, becomes the level for those handling CUI in non-federal systems.

The 110 controls and 321 practice objectives of NIST SP 800-171 rev. 2 and NIST 800-171A are to be fully implemented, just as they were required to be prior to CMMC 1.02. CMMC 2.0 removes the “Delta 20” additional practices of CMMC Level 3 from 1.02.

If NIST 800-171 is fully in place, the 20 additional practices aren't as difficult as many made them out to be.

Does that mean they’re gone forever? Time will tell. We'll blog on that some other time!

CMMC Level 3, titled “Expert”, goes above and beyond NIST SP 800-171, to align with NIST SP 800-172

Which is a more proactive set of controls that focuses on preventing Advanced Persistent Threats (APTs). These assessments will be government-led (DIBCAC), yet no further information on what the means is available.

CMMC 2.0 will not go into effect right away.

Per the release of CMMC 2.0: “The changes reflected in CMMC 2.0 will be implemented through the rule-making process Companies will be required to comply once the forthcoming rules go into effect.

The Department intends to pursue rule-making both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R.

Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.”

Also, DoD OUSD(A&S) currently estimates the rule-making process could take 9-24 months, which is unfortunate. Changes to CMMC Level 2 can (and likely will) go through some changes before all things are final.

Under CMMC 2.0, CMMC Level 2 will be bifurcated (divided) into two groups:

"Critical to National Security Information", and CUI that isn’t deemed as critical.

The decision as to what businesses can perform self-attestation and which ones require a C3PAO is not completely clear.

It may be if you handle data that meets the “Controlled Technical Information” (CTI) definition from DFARS 252.204-7012 and has DoD 5230.24 distribution statements B through F, then you may need a C3PAO assessment.

Those who have been awarded to perform services on critical CUI contracts will go through an audit process, or third-party assessments, from C3PAOs tri-annually, while select programs will be allowed to self-assess annually. More information on this will come at a future date.

Plans of Action & Milestones (POA&M) will be allowed, however, will be "time-bound" and "enforceable.”

This is where the accountability of the contractor continues to stack up. This isn’t new to any contractor subject to DFARS and NIST SP 800-171.

CMMC 1.02 put a lot of focus on strategic planning. The DoD wants to see how their suppliers plan to become compliant and a non-vulnerable piece of the supply chain. That won’t change due to the focus on accountability across the entire supply chain.

The days of “kicking the can down the road” and “we’ll just POA&M it until we have to do it” are going away. Contractors will, for the sake of National Security, behold accountable to their SSP and POA&Ms, or they'll likely face potential False Claims Act scenarios.

The DFARS Interim Rule (DFARS 252.204-7012, 7019, and 7020), which have nothing to do with CMMC, is still in effect.

The only change is that CMMC Pilots are being put on hold, therefore DFARS 252.204-7021 will not be allowed to be in any contracts until CMMC 2.0 is in effect.

Breaking down the new CMMC 2.0 levels

cmmc 2.0 compliance levels, model and assessment graph

CMMC 2.0 eliminates Levels 2 and 4 of CMMC 1.02, which were transition levels between the levels immediately above and below them. The new CMMC 2.0 levels are based on the type of information that DIB organizations handle, as described below:

CMMC 2.0: Level 1 (Foundational)

CMMC 2.0 Level 1 is equivalent to CMMC 1.02 Level 1, which is based on the 17 controls in FAR 52.204-21. The goal of these controls is to protect the information systems of covered contractors, primarily by limiting access to authorized users.

This level provides basic protection of covered contractor information and only applies to organizations that handle FCI.

CMMC 2.0: Level 2 (Advanced)

CMMC 2.0 Level 2 is equivalent to CMMC 1.02 Level 3, which is based on NIST SP 800-171. It includes all 14 domains and 110 security controls of CMMC 1.02 that come from NIST 800-171, but eliminates all 20 Level 3 practices and processes that are unique to CMMC 1.02.

As a result, CMMC 2.0 Level 2 is in complete alignment with NIST SP 800-171. This level is designed for companies that work with CUI.

CMMC 2.0: Level 3 (Expert)

CMMC 2.0 Level 3 applies to companies that handle CUI for DoD programs with the highest priority. It’s comparable to CMMC 1.02 Level 5, although the DoD is still developing its specific security requirements.

However, it has already indicated that the requirements of Level 3 will be based on NIST SP 800-171’s 110 controls in addition to a subset of NIST SP 800-172 controls.

CMMC 2.0 focuses on reducing a system’s vulnerability to APTs.

CMMC 2.0 replaces the five-tier system in CMMC 1.02, which previously consisted of the following levels of cyber hygiene:

CMMC 1.02: Level 1 (Basic)

Level 1 of CMMC 1.02 consists of 17 controls that meet the basic safeguarding requirements described in FAR clause 52.204-21. These practices include basic access controls and the implementation of identity and authentication. 

The goal of this level is to protect FCI, which is required for any DoD contractor that doesn’t solely produce commercial off-the-shelf (COTS) products. The great majority of DOD contracts will require Level 1 under CMMC 1.02.

CMMC 1.02: Level 2 (Intermediate)

Level 2 of CMMC 1.02 requires 55 new controls from NIST 800-171 in addition to the 17 controls of Level 1. Furthermore, it adds the requirement for documenting practices.

The goal of this level is to create a base level of security for organizations that handle CUI, making it a transitory level that prepares them for the Level 3 of CMMC 1.02.

CMMC 1.02: Level 3 (Good)

Level 3 of CMMC 1.02 adds 58 new controls on top of those that Level 2 requires, which includes all the controls in NIST SP 800-171 in addition to controls from other sources.

It also requires contractors to establish, maintain and resource a plan demonstration management over the implementation of CMMC.

As a result, Level 3 is a major step up from Level 2. The goal of Level 3 is to protect CUI by fleshing out the controls in Levels 1 and 2. Contractors that handle FCI and CUI need at least Level 3 under CMMC 1.02, so analysts expect it to be the most common maturity level for this framework.

CMMC 1.02: Level 4 (Proactive)

Level 4 of CMMC 1.02 adds 26 new controls to those required by Level 3, which are described in NIST SP 800-171B and other sources. These controls are far more complex than those in lower levels, making them more time-consuming to implement and maintain.

The main focus of Level 4 is to improve the contractor’s effectiveness in protecting CUI from Advanced Persistent Threats (APTs). For example, it requires the contractor to review practices and assess their effectiveness.

Analysts expect comparatively few DoD contractors to require CMMC 1.02 Level 4, as it is primarily a transition between Level 3 and Level 5.

CMMC 1.02: Level 5 (Advanced)

Level 5 of CMMC 1.02 adds 15 new controls to those required by Level 4, which increase the depth and sophistication of the contractor’s security posture. This level requires contractors to standardize and optimize the implementation of their processes across the entire organization. Level 5 also focuses on the protection of CUI from APTs, so the new security practices are more advanced than those of previous levels. Very few organizations should require CMMC 1.02 Level 5.

Differences from CMMC 2.0 vs NIST 800-171

CMMC 2.0 is based on NIST 800-171, but the two sets of guidelines aren’t identical.

The most significant differences between them include a level-based model for CMMC 2.0, the greater focus of CMMC 2.0 on CUI, and the additional domains in CMMC 2.0.
1.

Level-Based Model

CMMC 2.0 implements a three-tier system of security, consisting of Foundational, Advanced, and Expert levels. The Advanced level is equivalent to NIST SP 800-171, and the Expert level will be based on a subset of NIST SP 800-172 requirements. However, this level is still under development.

DoD contracts may require contractors to achieve a particular level to compete for a contract. CMMC 2.0 requires third-party assessments to obtain CMMC certification, whereas NIST 800-171 only requires self-assessments and no certification requirement.

Furthermore, NIST isn’t a regulatory body, so it doesn’t have the authority to enforce its guidelines.

2.

CUI Standards

CMMC 2.0 includes over 130 cybersecurity guidelines at its highest compliance level, with 110 of these mapping directly to NIST 800-171 standards.

These guidelines focus almost entirely on CUI controls, whereas NIST 800-171 also outlines standards for Non-Federal Organizations (NFO) controls.

3.

Additional Domains

NIST 800-171 encompasses 14 requirement families or domains. They include standards for areas of security such as access control, personnel security, risk assessment, and security assessments. CMMC 2.0 addresses all of these domains and adds the domains of asset management, recovery, and situational awareness. It also places a higher standard on the domains of cybersecurity assets and breach recovery.

In addition, CMMC 2.0 requires affected organizations to maintain a greater level of threat awareness and how those threats could affect the CUI they handle.

The new CMMC 2.0 assessment requirements

cmmc 2.0 assessment requirements chart

How much will implementation of CMMC 2.0 cost?

The DoD hasn’t yet published a comprehensive cost analysis for each level of CMMC 2.0, but it will eventually do so.

We expect these CMMC certification costs may be significantly lower than those of CMMC 1.0 since CMMC 2.0 streamlines the requirements for all levels by eliminating practices and maturity processes that are unique to CMMC. 

In addition, contractors at Level 1 and some Level 2 programs only need self-assessments instead of third-party assessments. Another factor that should reduce the cost of implementing CMMC 2.0 is the increased oversight over C3PAOs.

CMMC 2.0 isn’t yet an official policy, but DoD contractors shouldn’t wait until it is before starting their journey towards CMMC compliance.

CMMC 2.0 requires compliance with both DFARS 252.204-7012 and NIST 800-171, which are already part of DoD’s security landscape. 

Contractors should already be CMMC ready to ensure they aren’t violating the False Claims Act.

The costs of CMMC include the following:

  • Soft costs
  • Remediation
  • Time
  • Assessment
  • Maintenance

Soft costs include the time needed to prepare for an audit, which requires planning, budgeting, training, and documentation. The personnel performing these tasks may come from a contractor’s own workforce or an external consulting firm.

If a contractor uses its own IT staff to perform these tasks, it should ensure those staff members have the required expertise in cybersecurity. 

Otherwise, the time needed to provide this training and the cost of potential mistakes could make consulting a better option in the long run.

Remediation is the process of identifying and closing gaps in CMMC compliance, which is necessary for obtaining certification.

These expenses include the cost of upgrading infrastructure, facilities, and related technologies, which will be the biggest expenses in implementing CMMC 2.0.

Remediation costs include upgrades for hardware like servers and individual computers as well as upgrades for security software like firewalls and email applications.

Implementing CMMC also requires time on the part of managers, IT support staff and other employees. Expert consultants can dramatically reduce the amount needed to complete this process, but each step still requires involvement from management and IT.

Contractors that need CMMC 2.0 Level 2 must also spend money to obtain a formal assessment from a C3PAO.

Current estimates place this cost at $50k - $100k, although neither the DOD CIO or CMMC-AB (now known as the "Cyber AB") have published official assessment costs, because the plan is to let the market dictate the costs.

CMMC also requires time and money to maintain after a contractor obtains its certification.

Challenges with implementing a CMMC 2.0 compliance solution

Taking the above steps to prepare for your compliance needs will help fulfill the practices and controls that CMMC 2.0 requires. 

Contractors can complete these steps with in-house resources, a consultant, or by obtaining a done-for-you (DFY) solution through an outsourced managed security service provider (MSSP) like cuick tracTM.

The types of contractors that might choose to implement CMMC 2.0 in-house include those who are limited to those with the necessary IT resources, skills, and bandwidth. 

However, many companies will want to use a DFY solution like cuick tracTM due to the challenges of implementing CMMC 2.0 by themselves.

Each CMMC level requires a progressively greater number of controls, which are described in documents like FAR 52.204.21, NIST SP 800-171, and NIST SP 800-172. 

DoD contractors should determine the CMMC level they want to obtain before implementing the controls required for that level. 

Contractors that have already implemented all the controls in NIST SP 800-171 shouldn’t have any problems passing a CMMC 2.0 assessment successfully up to Level 2. 

However, those that haven’t yet implemented any controls need to start exploring options for preparing for a CMMC assessment, which generally consists of doing it themselves or hiring a CMMC consultant.

How can DoD contractors prepare for CMMC 2.0 now and in the future?

CMMC was originally developed to verify that contractors were meeting the requirements of NIST 800-171, which wasn’t occurring with just self-assessment. While CMMC 1.02 did accomplish this goal, it also increased the time and effort needed to comply with DoD security requirements. 

CMMC 2.0 reduces this requirement, but contractors shouldn’t become complacent about preparing for an audit.

While the latest version of CMMC appears to have many drastic changes, many of the requirements are the same. For example, NIST SP 800-171 is still the backbone of CMMC 2.0 when it comes to protecting CUI. 

Furthermore, contractors have always been required to document their policies and procedures for implementing NIST requirements under CMMC. The entire set of rules for implementing CMMC 2.0 should be complete by the end of 2023, but the DoD is already exploring ways to encourage contractors to achieve compliance in the meantime.

A proactive approach to CMMC compliance is an effective strategy for DoD contractors to maintain a competitive edge. Contractors should already be developing their security system plans (SSPs) and Plan of Action and Milestones (POA&Ms). 

If an organization has already completed its POA&M, it should identify and remediate any gaps that it may have with respect to CMMC 2.0. Contractors should also produce and upload their SPRS now to ensure they’re in good shape for the transition toward CMMC 2.0.

Companies that haven’t yet improved their security posture in preparation for this change can do so by establishing technical boundaries for receiving, processing, and storing CUI. They also need to define how they’ll share CUI with partners and government agencies. 

Documenting that its security posture is compliant with DFARS rules is also a great way to prepare for CMMC 2.0. Additional steps include updating and testing the Cybersecurity Incident Response Plan (CIRP) at least once each year. Finally, contractors should continually improve their security posture while waiting to implement CMMC 2.0.

Readiness Assessment

A CMMC readiness assessment from a C3PAO is the first step in obtaining CMMC, since it tells contractors how close they are to meeting the minimum requirements of the appropriate CMMC Level.

This assessment is designed to identify gaps in the contractor’s systems and processes that prevent them from meeting the required controls.

A readiness assessment assesses many specific features of a contractor’s network and procedures such as how data is stored and how access to these systems is controlled. 

The method a contractor uses to implement security controls and measures is also a key element of the assessment, as is the development and implementation of incident response plans.

The training of managers and information system administrators is also a major part of the readiness assessment.

The assessment also includes a gap analysis that describes the changes an organization needs to make before it can qualify for the required CMMC Level.

Professional MSSPs use these findings to develop a remediation plan that will fix these problems, allowing their clients to meet CMMC requirements. 

DoD contractors can then use this plan to conduct their own remediation or hire an MSSP to do it for them.

Remediation

A well-researched remediation plan from the consultant is essential for allowing contractors to make necessary changes to their systems. 

The remediation plan that a CMMC consultant develops should include detailed documentation of processes that don’t meet required standards, based on the findings of the readiness assessment. 

The tasks included in the remediation may vary greatly, from relatively minor, inexpensive tasks to extensive changes requiring a redevelopment of existing systems and processes from the ground up.

Ongoing Monitoring and Reporting

Once an MSSP has completed a contractor’s remediation plan and ensured its systems comply with the appropriate CMMC Level, it must conduct ongoing monitoring and reporting. 

This process requires tools and procedures that monitor systems for security breaches and report those breaches to the DoD.

Contractors also have the option of reporting breaches themselves, provided they have the necessary tools and expertise needed to use them.

Challenges with implementing a CMMC 2.0 compliance solution in-house

Taking the above steps to prepare for your compliance needs will help fulfill the practices and controls that CMMC 2.0 requires. 

Contractors can complete these steps with in-house resources, a consultant, or by obtaining a done-for-you (DFY) solution through an outsourced managed security service provider (MSSP) like cuick tracTM.

The types of contractors that might choose to implement CMMC 2.0 in-house include those who are limited to those with the necessary IT resources, skills, and bandwidth. 

However, many companies will want to use a DFY solution like cuick tracTM due to the challenges of implementing CMMC 2.0 by themselves.

Each CMMC level requires a progressively greater number of controls, which are described in documents like FAR 52.204.21, NIST SP 800-171, and NIST SP 800-172. 

DoD contractors should determine the CMMC level they want to obtain before implementing the controls required for that level. 

Contractors that have already implemented all the controls in NIST SP 800-171 shouldn’t have any problems passing a CMMC 2.0 assessment successfully up to Level 2. 

However, those that haven’t yet implemented any controls need to start exploring options for preparing for a CMMC assessment, which generally consists of doing it themselves or hiring a CMMC consultant.

Option 1: Meet Requirements In-House

DoD contractors with the necessary staff and other resources may be able to achieve the desired CMMC level in-house. NIST has published a document entitled “Self Assessment Handbook – NIST Handbook 162,” which internal IT departments can use for this purpose. 

However, it only covers NIST SP 800-171 Rev. 1, and there is no self-assessment handbook for NIST SP 800-171 Rev. 2 at this time. 

NIST has also published templates for SSPs and POA&Ms, which are also important documents for achieving CMMC compliance.

Option 2: Hire a CMMC Consultant

Contractors that lack the expertise to meet the requirements of NIST SP 800-171 have the option of outsourcing this task to an experienced MSSP. These companies should be CMMC Registered Provider Organizations (RPOs), a list of which the CMMC Accreditation Body (AB) maintains here.

RPOs specialize in compliance services and monitored security for DoD contractors who need to obtain CMMC. They can also conduct an assessment and perform the remediation needed to pass an audit for the required CMMC level.

It’s essential for a contractor to choose a trustworthy RPO because the contractor is ultimately responsible for ensuring it meets the appropriate security requirements.

Outsourcing CMMC compliance to a qualified MSSP allows DoD contractors to save time and money when obtaining CMMC compliance.

These providers should have all the necessary knowledge and experience to conduct a readiness assessment and develop SSPs and POA&Ms.

They should also have access to the tools needed to monitor and respond to security incidents. In addition, MSSPs should be able to remediate security gaps as needed and become CMMC compliant, including the documentation needed to verify the implementation of the appropriate controls for the desired security level.

They must also be able to show a CMMC auditor that the contracting organization is maintaining these controls.

Option 3: Get a done-for-you CUI enclave solution

Another popular option for organizations looking to outsource responsibly to a trusted provider is to utilize an enclave, to segment sensitive data such as CUI, off of their organization’s main network (often referred to as the “commercial” network). 

What is an enclave? An enclave is “a set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter.” (Source)

In short, an enclave’s purpose is to protect and secure highly sensitive information, with access only given to those who need it, when they need it. When an enclave is purpose-built for specific information, like CUI, which has cybersecurity requirements like NIST 800-171, the technology components are not deployed across the whole organization, just the subset of authorized users. Thisallows for controlling the confidentiality, integrity, and availability of sensitive information. 

The enclave approach allows for organizations seeking certification (OSCs) to shrink their scope, better define the boundaries of the system where CUI is stored, processed and transmitted, and help with documenting what will be assessed by an external assessor (CMMC, DIBCAC, Customer, etc).

By using the enclave approach, costs can be much lower and greatly controlled, because the configuration and support of a dedicated, purpose-built network, becomes easier to maintain and administer through an ongoing process.

It becomes much easier to document and define where CUI is at all times when an OSC’s CUI management plan is using a hardened technical solution that an enclave provides.

The CUI being handled by an OSC is the responsibility of that organization. CMMC 2.0 puts a very strong emphasis on responsibility and accountability, as required by NIST 800-171.

There are 320 assessment objectives within NIST 800-171A, all of which not only need to be demonstrated to be in place (to meet the 110 requirements/controls of NIST 800-171), but also need to have accountability and responsibility assigned to each one.

With an enclave provider who only focuses on NIST 800-171 and CMMC, outsourcing that responsibility is a massive time and resource saver for an OSC. 

With cuick trac™, that’s exactly what OSCs get. 

Full outsourcing of the technology implementation needed for processing, storing and transmitting CUI, in order to comply with DFARS 252.204-7012, NIST 800-171, and the emerging CMMC, in an affordable, practical and secure way.

Not sure how the CMMC 2.0 impacts your organization? Get the facts

At cuick trac™, that’s what we do for our clients. We advise on first establishing where an organization is, today, in its compliance program.

Focusing on the current progress of implementing NIST SP 800-171, building the correct strategic plan to hit established timelines, and how the organization's managed compliance program stays in place, while threats and requirements continue to evolve.

For those who see CMMC 2.0 as a “victory” or a “told ya so!” moment, so they DON'T have to increase their cybersecurity requirements and compliance programs, they’re going to fall even further behind.

Cuick trac™ engages with organizations who are proud to be part of the DoD supply chain, and more importantly, understand that our national security is at risk. We will continue to be part of the solution!

If you’d like to discuss CMMC 2.0 in more detail and figure out the best path forward for your organization, contact us and speak with one of our cybersecurity advisors today.

Get a 30-minute demo from a cuick trac™ product expert

You've made it this far, now let us show you why cuick trac™ will be the smartest decision you'll make this year.

Schedule a quick product tour
See how we can secure your CUI in less time, with less effort, and more features than any other DFARS compliance products in the market.
Cuick trac™ is a privately hosted, managed, & secure CUI enclave for organizations who need to comply with NIST 800-171 & CMMC 2.0, Level 2.
© 2022 cuick trac™. All rights reserved.