Want to learn more about the CMMC 2.0 model?
Cuick tracTM has helped hundreds of DoD service providers, manufacturers, and contractors understand cybersecurity practices for CMMC, including how National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, 7019, 7020, and 7021 can impact their business and how they can prepare.
The CMMC framework incorporates a set of cybersecurity requirements into contracts and assures the DoD that contractors and subcontractors are meeting these requirements.
The CMMC framework has three key features, including a tiered model, assessments, and implementation through contracts.
The tiered model requires companies entrusted with national security information to implement cybersecurity standards at progressively higher levels, based on the type of information and its sensitivity. This model also establishes the processes for disseminating this information to subcontractors.
CMMC assessments allow the DoD to verify that the contractor has implemented the required cybersecurity standards.
Some DoD contractors that handle CUI will also need to achieve a specified CMMC level as a condition of receiving the contract once CMMC is fully implemented.
CMMC was originally developed to verify that the accountability of defense contractors was taking place, versus a self-assessing trust model that wasn't working.
Levels 2 and 4 are no longer part of the model. Level 1, titled, “foundational” will consist of the basic safeguarding controls of FAR 52.204-21. From a security controls standpoint, nothing changed there.
Once CMMC 2.0 is in place (more on that below), those required to be CMMC Level 1 will be allowed to self-assess their cybersecurity posture (annually), with leadership sign-off, and enter their score into the Supplier Performance Risk System (SPRS).
Practices are (again) the focus that needs to be put in place, based on the data that an organization handles (CUI vs non-CUI).
The 110 controls and 321 practice objectives of NIST SP 800-171 rev. 2 and NIST 800-171A are to be fully implemented, just as they were required to be prior to CMMC 1.02. CMMC 2.0 removes the “Delta 20” additional practices of CMMC Level 3 from 1.02.
If NIST 800-171 is fully in place, the 20 additional practices aren't as difficult as many made them out to be.
Does that mean they’re gone forever? Time will tell. We'll blog on that some other time!
Which is a more proactive set of controls that focuses on preventing Advanced Persistent Threats (APTs). These assessments will be government-led (DIBCAC), yet no further information on what the means is available.
Per the release of CMMC 2.0: “The changes reflected in CMMC 2.0 will be implemented through the rule-making process Companies will be required to comply once the forthcoming rules go into effect.
The Department intends to pursue rule-making both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R.
Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.”
Also, DoD OUSD(A&S) currently estimates the rule-making process could take 9-24 months, which is unfortunate. Changes to CMMC Level 2 can (and likely will) go through some changes before all things are final.
"Critical to National Security Information", and CUI that isn’t deemed as critical.
The decision as to what businesses can perform self-attestation and which ones require a C3PAO is not completely clear.
It may be if you handle data that meets the “Controlled Technical Information” (CTI) definition from DFARS 252.204-7012 and has DoD 5230.24 distribution statements B through F, then you may need a C3PAO assessment.
Those who have been awarded to perform services on critical CUI contracts will go through an audit process, or third-party assessments, from C3PAOs tri-annually, while select programs will be allowed to self-assess annually. More information on this will come at a future date.
This is where the accountability of the contractor continues to stack up. This isn’t new to any contractor subject to DFARS and NIST SP 800-171.
CMMC 1.02 put a lot of focus on strategic planning. The DoD wants to see how their suppliers plan to become compliant and a non-vulnerable piece of the supply chain. That won’t change due to the focus on accountability across the entire supply chain.
The days of “kicking the can down the road” and “we’ll just POA&M it until we have to do it” are going away. Contractors will, for the sake of National Security, behold accountable to their SSP and POA&Ms, or they'll likely face potential False Claims Act scenarios.
The only change is that CMMC Pilots are being put on hold, therefore DFARS 252.204-7021 will not be allowed to be in any contracts until CMMC 2.0 is in effect.
CMMC 2.0 implements a three-tier system of security, consisting of Foundational, Advanced, and Expert levels. The Advanced level is equivalent to NIST SP 800-171, and the Expert level will be based on a subset of NIST SP 800-172 requirements. However, this level is still under development.
DoD contracts may require contractors to achieve a particular level to compete for a contract. CMMC 2.0 requires third-party assessments to obtain CMMC certification, whereas NIST 800-171 only requires self-assessments and no certification requirement.
Furthermore, NIST isn’t a regulatory body, so it doesn’t have the authority to enforce its guidelines.
CMMC 2.0 includes over 130 cybersecurity guidelines at its highest compliance level, with 110 of these mapping directly to NIST 800-171 standards.
These guidelines focus almost entirely on CUI controls, whereas NIST 800-171 also outlines standards for Non-Federal Organizations (NFO) controls.
NIST 800-171 encompasses 14 requirement families or domains. They include standards for areas of security such as access control, personnel security, risk assessment, and security assessments. CMMC 2.0 addresses all of these domains and adds the domains of asset management, recovery, and situational awareness. It also places a higher standard on the domains of cybersecurity assets and breach recovery.
In addition, CMMC 2.0 requires affected organizations to maintain a greater level of threat awareness and how those threats could affect the CUI they handle.
A CMMC readiness assessment from a C3PAO is the first step in obtaining CMMC, since it tells contractors how close they are to meeting the minimum requirements of the appropriate CMMC Level.
This assessment is designed to identify gaps in the contractor’s systems and processes that prevent them from meeting the required controls.
A readiness assessment assesses many specific features of a contractor’s network and procedures such as how data is stored and how access to these systems is controlled.
The method a contractor uses to implement security controls and measures is also a key element of the assessment, as is the development and implementation of incident response plans.
The training of managers and information system administrators is also a major part of the readiness assessment.
The assessment also includes a gap analysis that describes the changes an organization needs to make before it can qualify for the required CMMC Level.
Professional MSSPs use these findings to develop a remediation plan that will fix these problems, allowing their clients to meet CMMC requirements.
DoD contractors can then use this plan to conduct their own remediation or hire an MSSP to do it for them.
A well-researched remediation plan from the consultant is essential for allowing contractors to make necessary changes to their systems.
The remediation plan that a CMMC consultant develops should include detailed documentation of processes that don’t meet required standards, based on the findings of the readiness assessment.
The tasks included in the remediation may vary greatly, from relatively minor, inexpensive tasks to extensive changes requiring a redevelopment of existing systems and processes from the ground up.
Once an MSSP has completed a contractor’s remediation plan and ensured its systems comply with the appropriate CMMC Level, it must conduct ongoing monitoring and reporting.
This process requires tools and procedures that monitor systems for security breaches and report those breaches to the DoD.
Contractors also have the option of reporting breaches themselves, provided they have the necessary tools and expertise needed to use them.
Focusing on the current progress of implementing NIST SP 800-171, building the correct strategic plan to hit established timelines, and how the organization's managed compliance program stays in place, while threats and requirements continue to evolve.
For those who see CMMC 2.0 as a “victory” or a “told ya so!” moment, so they DON'T have to increase their cybersecurity requirements and compliance programs, they’re going to fall even further behind.
Cuick trac™ engages with organizations who are proud to be part of the DoD supply chain, and more importantly, understand that our national security is at risk. We will continue to be part of the solution!
If you’d like to discuss CMMC 2.0 in more detail and figure out the best path forward for your organization, contact us and speak with one of our cybersecurity advisors today.