What is CMMC 2.0?
The CMMC framework increases the cybersecurity posture of organizations in the DIB.
It’s designed to validate the protection of controlled unclassified information (CUI) that the DoD shares with its contractors and subcontractors.
The CMMC framework incorporates a set of cybersecurity requirements into contracts and assures the DoD that contractors and subcontractors are meeting these requirements.
The CMMC framework has three key features, including a tiered model, assessments, and implementation through contracts.
The tiered model requires companies entrusted with national security information to implement cybersecurity standards at progressively higher levels, based on the type of information and its sensitivity. This model also establishes the processes for disseminating this information to subcontractors.
CMMC assessments allow the DoD to verify that the contractor has implemented the required cybersecurity standards.
Some DoD contractors that handle CUI will also need to achieve a specified CMMC level as a condition of receiving the contract once CMMC is fully implemented.
The evolution of CMMC 2.0
Who has to meet CMMC compliance requirements?
The Office of the Under Secretary of Defense (OUSD) Acquisition & Sustainment (A&S) Department has published materials describing its strategy for the CMMC program.
However, CMMC 2.0 won’t be contractually required until the Department develops the rulemaking process needed to implement it, which could take up to two years.
The responsibility of CMMC has also shifted from OUSD A&S to DoD’s Chief Information Officer (CIO).
Once CMMC 2.0 becomes a contractual requirement, the DoD will specify the required CMMC level in the solicitation and in Requests for Information (RFIs), if any.
At this point, organizations that fail to show their compliance with NIST SP 800-171 will face a number of penalties, including the loss of contract, loss of opportunity to receive new contracts, and fines.
Virtually all civilian organizations that do business with the government must comply with CMMC 2.0, including:
- DoD prime contractors
- DoD subcontractors
- Suppliers at all tiers in the DIB
- DoD small businesses suppliers
- Commercial suppliers that process, handle or store CUI
- Foreign suppliers
- Team members of DoD contractors that handle CUI such as IT Managed Service Providers
The same CMMC level will apply to both contractors and subcontractors, provided they handle the same type of CUI and Federal Contract Information (FCI).
However, a lower CMMC level may apply to the sub in cases where the prime only sends selected information.
Changes to safeguarding sensitive national security information with CMMC 2.0
Get the facts about CMMC 2.0, speak with a NIST expert at Cuick Trac today
The 8 biggest changes from CMMC 1.02 to CMMC 2.0
CMMC was originally developed to verify that the accountability of defense contractors was taking place, versus a self-assessing trust model that wasn’t working.
CMMC 2.0 will consist of three (3) levels, versus the five (5) levels of CMMC 1.02.
Levels 2 and 4 are no longer part of the model. Level 1, titled, “foundational” will consist of the basic safeguarding controls of FAR 52.204-21. From a security controls standpoint, nothing changed there.
Once CMMC 2.0 is in place (more on that below), those required to be CMMC Level 1 will be allowed to self-assess their cybersecurity posture (annually), with leadership sign-off, and enter their score into the Supplier Performance Risk System (SPRS).
CMMC 2.0 eliminates all maturity processes.
Practices are (again) the focus that needs to be put in place, based on the data that an organization handles (CUI vs non-CUI).
CMMC Level 2, titled “Advanced”, becomes the level for those handling CUI in non-federal systems.
The 110 controls and 321 practice objectives of NIST SP 800-171 rev. 2 and NIST 800-171A are to be fully implemented, just as they were required to be prior to CMMC 1.02. CMMC 2.0 removes the “Delta 20” additional practices of CMMC Level 3 from 1.02.
If NIST 800-171 is fully in place, the 20 additional practices aren’t as difficult as many made them out to be.
Does that mean they’re gone forever? Time will tell. We’ll blog on that some other time!
CMMC Level 3, titled “Expert”, goes above and beyond NIST SP 800-171, to align with NIST SP 800-172
Which is a more proactive set of controls that focuses on preventing Advanced Persistent Threats (APTs). These assessments will be government-led (DIBCAC), yet no further information on what the means is available.
CMMC 2.0 will not go into effect right away.
Per the release of CMMC 2.0: “The changes reflected in CMMC 2.0 will be implemented through the rule-making process Companies will be required to comply once the forthcoming rules go into effect.
The Department intends to pursue rule-making both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R.
Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.”
Also, DoD OUSD(A&S) currently estimates the rule-making process could take 9-24 months, which is unfortunate. Changes to CMMC Level 2 can (and likely will) go through some changes before all things are final.
Under CMMC 2.0, CMMC Level 2 will be bifurcated (divided) into two groups:
“Critical to National Security Information”, and CUI that isn’t deemed as critical.
The decision as to what businesses can perform self-attestation and which ones require a C3PAO is not completely clear.
It may be if you handle data that meets the “Controlled Technical Information” (CTI) definition from DFARS 252.204-7012 and has DoD 5230.24 distribution statements B through F, then you may need a C3PAO assessment.
Those who have been awarded to perform services on critical CUI contracts will go through an audit process, or third-party assessments, from C3PAOs tri-annually, while select programs will be allowed to self-assess annually. More information on this will come at a future date.
Plans of Action & Milestones (POA&M) will be allowed, however, will be "time-bound" and "enforceable.”
This is where the accountability of the contractor continues to stack up. This isn’t new to any contractor subject to DFARS and NIST SP 800-171.
CMMC 1.02 put a lot of focus on strategic planning. The DoD wants to see how their suppliers plan to become compliant and a non-vulnerable piece of the supply chain. That won’t change due to the focus on accountability across the entire supply chain.
The days of “kicking the can down the road” and “we’ll just POA&M it until we have to do it” are going away. Contractors will, for the sake of National Security, behold accountable to their SSP and POA&Ms, or they’ll likely face potential False Claims Act scenarios.
The DFARS Interim Rule (DFARS 252.204-7012, 7019, and 7020), which have nothing to do with CMMC, is still in effect.
The only change is that CMMC Pilots are being put on hold, therefore DFARS 252.204-7021 will not be allowed to be in any contracts until CMMC 2.0 is in effect.
Breaking down the new CMMC 2.0 levels
CMMC 2.0 eliminates Levels 2 and 4 of CMMC 1.02, which were transition levels between the levels immediately above and below them. The new CMMC 2.0 levels are based on the type of information that DIB organizations handle, as described below:
CMMC 2.0: Level 1 (Foundational)
CMMC 2.0 Level 1 is equivalent to CMMC 1.02 Level 1, which is based on the 17 controls in FAR 52.204-21. The goal of these controls is to protect the information systems of covered contractors, primarily by limiting access to authorized users.
This level provides basic protection of covered contractor information and only applies to organizations that handle FCI.
CMMC 2.0: Level 2 (Advanced)
CMMC 2.0 Level 2 is equivalent to CMMC 1.02 Level 3, which is based on NIST SP 800-171. It includes all 14 domains and 110 security controls of CMMC 1.02 that come from NIST 800-171, but eliminates all 20 Level 3 practices and processes that are unique to CMMC 1.02.
As a result, CMMC 2.0 Level 2 is in complete alignment with NIST SP 800-171. This level is designed for companies that work with CUI.
CMMC 2.0: Level 3 (Expert)
CMMC 2.0 Level 3 applies to companies that handle CUI for DoD programs with the highest priority. It’s comparable to CMMC 1.02 Level 5, although the DoD is still developing its specific security requirements.
However, it has already indicated that the requirements of Level 3 will be based on NIST SP 800-171’s 110 controls in addition to a subset of NIST SP 800-172 controls.
CMMC 2.0 focuses on reducing a system’s vulnerability to APTs.
CMMC 2.0 replaces the five-tier system in CMMC 1.02, which previously consisted of the following levels of cyber hygiene:
Level 1 of CMMC 1.02 consists of 17 controls that meet the basic safeguarding requirements described in FAR clause 52.204-21. These practices include basic access controls and the implementation of identity and authentication.
The goal of this level is to protect FCI, which is required for any DoD contractor that doesn’t solely produce commercial off-the-shelf (COTS) products. The great majority of DOD contracts will require Level 1 under CMMC 1.02.
Level 2 of CMMC 1.02 requires 55 new controls from NIST 800-171 in addition to the 17 controls of Level 1. Furthermore, it adds the requirement for documenting practices.
The goal of this level is to create a base level of security for organizations that handle CUI, making it a transitory level that prepares them for the Level 3 of CMMC 1.02.
Level 3 of CMMC 1.02 adds 58 new controls on top of those that Level 2 requires, which includes all the controls in NIST SP 800-171 in addition to controls from other sources.
It also requires contractors to establish, maintain and resource a plan demonstration management over the implementation of CMMC.
As a result, Level 3 is a major step up from Level 2. The goal of Level 3 is to protect CUI by fleshing out the controls in Levels 1 and 2. Contractors that handle FCI and CUI need at least Level 3 under CMMC 1.02, so analysts expect it to be the most common maturity level for this framework.
Level 4 of CMMC 1.02 adds 26 new controls to those required by Level 3, which are described in NIST SP 800-171B and other sources. These controls are far more complex than those in lower levels, making them more time-consuming to implement and maintain.
The main focus of Level 4 is to improve the contractor’s effectiveness in protecting CUI from Advanced Persistent Threats (APTs). For example, it requires the contractor to review practices and assess their effectiveness.
Analysts expect comparatively few DoD contractors to require CMMC 1.02 Level 4, as it is primarily a transition between Level 3 and Level 5.
Level 5 of CMMC 1.02 adds 15 new controls to those required by Level 4, which increase the depth and sophistication of the contractor’s security posture. This level requires contractors to standardize and optimize the implementation of their processes across the entire organization. Level 5 also focuses on the protection of CUI from APTs, so the new security practices are more advanced than those of previous levels. Very few organizations should require CMMC 1.02 Level 5.
Differences from CMMC 2.0 vs NIST 800-171
CMMC 2.0 implements a three-tier system of security, consisting of Foundational, Advanced, and Expert levels. The Advanced level is equivalent to NIST SP 800-171, and the Expert level will be based on a subset of NIST SP 800-172 requirements. However, this level is still under development.
DoD contracts may require contractors to achieve a particular level to compete for a contract. CMMC 2.0 requires third-party assessments to obtain CMMC certification, whereas NIST 800-171 only requires self-assessments and no certification requirement.
Furthermore, NIST isn’t a regulatory body, so it doesn’t have the authority to enforce its guidelines.
CMMC 2.0 includes over 130 cybersecurity guidelines at its highest compliance level, with 110 of these mapping directly to NIST 800-171 standards.
These guidelines focus almost entirely on CUI controls, whereas NIST 800-171 also outlines standards for Non-Federal Organizations (NFO) controls.
NIST 800-171 encompasses 14 requirement families or domains. They include standards for areas of security such as access control, personnel security, risk assessment, and security assessments. CMMC 2.0 addresses all of these domains and adds the domains of asset management, recovery, and situational awareness. It also places a higher standard on the domains of cybersecurity assets and breach recovery.
In addition, CMMC 2.0 requires affected organizations to maintain a greater level of threat awareness and how those threats could affect the CUI they handle.
The new CMMC 2.0 assessment requirements
How much will implementation of CMMC 2.0 cost?
Challenges with implementing a CMMC 2.0 compliance solution
Taking the above steps to prepare for your compliance needs will help fulfill the practices and controls that CMMC 2.0 requires.
Contractors can complete these steps with in-house resources, a consultant, or by obtaining a done-for-you (DFY) solution through an outsourced managed security service provider (MSSP) like cuick tracTM.
The types of contractors that might choose to implement CMMC 2.0 in-house include those who are limited to those with the necessary IT resources, skills, and bandwidth.
However, many companies will want to use a DFY solution like cuick tracTM due to the challenges of implementing CMMC 2.0 by themselves.
Each CMMC level requires a progressively greater number of controls, which are described in documents like FAR 52.204.21, NIST SP 800-171, and NIST SP 800-172.
DoD contractors should determine the CMMC level they want to obtain before implementing the controls required for that level.
Contractors that have already implemented all the controls in NIST SP 800-171 shouldn’t have any problems passing a CMMC 2.0 assessment successfully up to Level 2.
However, those that haven’t yet implemented any controls need to start exploring options for preparing for a CMMC assessment, which generally consists of doing it themselves or hiring a CMMC consultant.
Secure your Controlled Unclassified Information in 14 days with Cuick Trac
How can DoD contractors prepare for CMMC 2.0 now and in the future?
A CMMC readiness assessment from a C3PAO is the first step in obtaining CMMC, since it tells contractors how close they are to meeting the minimum requirements of the appropriate CMMC Level.
This assessment is designed to identify gaps in the contractor’s systems and processes that prevent them from meeting the required controls.
A readiness assessment assesses many specific features of a contractor’s network and procedures such as how data is stored and how access to these systems is controlled.
The method a contractor uses to implement security controls and measures is also a key element of the assessment, as is the development and implementation of incident response plans.
The training of managers and information system administrators is also a major part of the readiness assessment.
The assessment also includes a gap analysis that describes the changes an organization needs to make before it can qualify for the required CMMC Level.
Professional MSSPs use these findings to develop a remediation plan that will fix these problems, allowing their clients to meet CMMC requirements.
DoD contractors can then use this plan to conduct their own remediation or hire an MSSP to do it for them.
A well-researched remediation plan from the consultant is essential for allowing contractors to make necessary changes to their systems.
The remediation plan that a CMMC consultant develops should include detailed documentation of processes that don’t meet required standards, based on the findings of the readiness assessment.
The tasks included in the remediation may vary greatly, from relatively minor, inexpensive tasks to extensive changes requiring a redevelopment of existing systems and processes from the ground up.
Ongoing Monitoring and Reporting
Once an MSSP has completed a contractor’s remediation plan and ensured its systems comply with the appropriate CMMC Level, it must conduct ongoing monitoring and reporting.
This process requires tools and procedures that monitor systems for security breaches and report those breaches to the DoD.
Contractors also have the option of reporting breaches themselves, provided they have the necessary tools and expertise needed to use them.
Challenges with implementing a CMMC 2.0 compliance solution in-house
DoD contractors with the necessary staff and other resources may be able to achieve the desired CMMC level in-house. NIST has published a document entitled “Self Assessment Handbook – NIST Handbook 162,” which internal IT departments can use for this purpose.
However, it only covers NIST SP 800-171 Rev. 1, and there is no self-assessment handbook for NIST SP 800-171 Rev. 2 at this time.
Contractors that lack the expertise to meet the requirements of NIST SP 800-171 have the option of outsourcing this task to an experienced MSSP. These companies should be CMMC Registered Provider Organizations (RPOs), a list of which the CMMC Accreditation Body (AB) maintains here.
RPOs specialize in compliance services and monitored security for DoD contractors who need to obtain CMMC. They can also conduct an assessment and perform the remediation needed to pass an audit for the required CMMC level.
It’s essential for a contractor to choose a trustworthy RPO because the contractor is ultimately responsible for ensuring it meets the appropriate security requirements.
Outsourcing CMMC compliance to a qualified MSSP allows DoD contractors to save time and money when obtaining CMMC compliance.
These providers should have all the necessary knowledge and experience to conduct a readiness assessment and develop SSPs and POA&Ms.
They should also have access to the tools needed to monitor and respond to security incidents. In addition, MSSPs should be able to remediate security gaps as needed and become CMMC compliant, including the documentation needed to verify the implementation of the appropriate controls for the desired security level.
They must also be able to show a CMMC auditor that the contracting organization is maintaining these controls.
Another popular option for organizations looking to outsource responsibly to a trusted provider is to utilize an enclave, to segment sensitive data such as CUI, off of their organization’s main network (often referred to as the “commercial” network).
What is an enclave? An enclave is “a set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter.” (Source)
In short, an enclave’s purpose is to protect and secure highly sensitive information, with access only given to those who need it, when they need it. When an enclave is purpose-built for specific information, like CUI, which has cybersecurity requirements like NIST 800-171, the technology components are not deployed across the whole organization, just the subset of authorized users. Thisallows for controlling the confidentiality, integrity, and availability of sensitive information.
The enclave approach allows for organizations seeking certification (OSCs) to shrink their scope, better define the boundaries of the system where CUI is stored, processed and transmitted, and help with documenting what will be assessed by an external assessor (CMMC, DIBCAC, Customer, etc).
By using the enclave approach, costs can be much lower and greatly controlled, because the configuration and support of a dedicated, purpose-built network, becomes easier to maintain and administer through an ongoing process.
It becomes much easier to document and define where CUI is at all times when an OSC’s CUI management plan is using a hardened technical solution that an enclave provides.
The CUI being handled by an OSC is the responsibility of that organization. CMMC 2.0 puts a very strong emphasis on responsibility and accountability, as required by NIST 800-171.
There are 320 assessment objectives within NIST 800-171A, all of which not only need to be demonstrated to be in place (to meet the 110 requirements/controls of NIST 800-171), but also need to have accountability and responsibility assigned to each one.
With an enclave provider who only focuses on NIST 800-171 and CMMC, outsourcing that responsibility is a massive time and resource saver for an OSC.
With cuick trac™, that’s exactly what OSCs get.
Full outsourcing of the technology implementation needed for processing, storing and transmitting CUI, in order to comply with DFARS 252.204-7012, NIST 800-171, and the emerging CMMC, in an affordable, practical and secure way.