There are quite a few changes between CMMC 1.0 vs. CMMC 2.0. Find out what they are and how they will affect your business.
What is the DoD’s Cybersecurity Certification?
Because of the sensitivity of information handled by companies that contract with the Department of Defense (DoD), contractors and subcontractors are required to achieve compliance with at least one level of the Cybersecurity Maturity Model Certification (CMMC). All organizations operating within the DoD supply chain will have to meet and maintain a good cybersecurity posture. All federal contractors contracting with the Department of Defense will have to comply with the framework by 2026.
In November 2021, the Department announced that it would be implementing CMMC 2.0 in place of the previous version. The updated framework implements several changes to increase the cyber hygiene of all companies that hold or participate in DoD contracts. The Department announced it would be engaging in rulemaking over the subsequent nine to 24 months, making it critical for federal contractors and subcontractors to prepare for the implementation of the updated version so that they can achieve compliance.
Reasons for the Cybersecurity Maturity Model Certification
To complete its projects and tasks, the Department of Defense relies on external contractors and subcontractors. Through its contracts, the Department exchanges sensitive information that requires protection with contractors. Inadequate security measures can place military service members and the security of our homeland at risk. Since self-certification was unreliable, the Department implemented the Cybersecurity Maturity Model Certification to ensure that contractors complied with NIST SP 800-171. Controls have been implemented for subcontractors and contractors to ensure that controlled unclassified data that is stored, processed, or transmitted will be protected. Contractors and subcontractors that fail to comply with the guidelines will not be able to submit a bid for contracts with the Department of Defense.
Why CMMC 2.0 Was Announced
The Cybersecurity Maturity Model Certification was initially effective on Jan. 21, 2020. However, the Department announced the rollout of CMMC 2.0 in Nov. 2021 after feedback about the original program. While the revised framework is still undergoing rulemaking, companies need to work towards becoming compliant so that they are prepared. Contractors should obtain certification as soon as possible and should be aware of the changes in the updated model, which controls how contractors will verify and communicate their cybersecurity standards.
The requirements are meant to protect all points in the DoD supply chain within the Defense Industrial Base (DIB). While the original version had five compliance levels, the 2.0 version has three. Meeting a level certifies that a contractor can protect controlled unclassified information at its point in the supply chain.
Each level contains both non-technical and technical requirements and builds on the lower level. The goal of the framework is to facilitate the ability of organizations to counter emerging cyber threats as they arise so that they will always be able to protect federal contract information and controlled unclassified data.
The specific required level for contractors and subcontractors is specified in the contracts. Most companies will need to achieve and maintain either level 1 or level 2. However, if your company has contracts with other parties outside of the Department of Defense, your entire organization will not need to comply with the CMMC. You can save costs by limiting your organization’s compliance to the portion of your organization that handles controlled unclassified information and federal contract information.
Three Levels in 2.0
In the Cybersecurity Maturity Model Certification 1.0 version, there were five different levels. They have been reduced to three in the 2.0 framework as follows:
Foundational – Level 1
Contractors and subcontractors that need to achieve level 1 compliance must submit annual self-assessments to the DoD and comply with 17 NIST 800-171 controls.
Advanced – Level 2
DoD contractors who must achieve and maintain level 2 certification must undergo third-party assessments every three years for their cyber hygiene with critical national security information. They must comply with 100 NIST 800-171 practices. Some programs will also require annual self-assessments.
Expert – Level 3
DoD contractors who must achieve and maintain level 3 certification must comply with more than 110 practices aligned with the requirements of NIST 800-172. Third-party assessments led by the government will be completed triennially.
CMMC 2.0 Framework
There were many simplifications to the framework in CMMC 2.0. Here are the noteworthy areas of change:
Domains
While CMMC 1.0 had 17 cyber domains, the 2.0 framework has 14. Domains are distinct groups of cybersecurity practices with similar characteristics that are critical for protecting controlled unclassified information and federal contract information either alone or together. The domains are listed in NIST 800-171 as follows:
- Access control (AC)
- Awareness/training (AT)
- Audit and accountability (AU)
- Configuration management (CM)
- Identification and authentication (IA)
- Incident response (IR)
- Maintenance (MA)
- Media protection (MP
- Personnel security (PS
- Physical protection (PE)
- Risk assessment (RA)
- Security assessment (CA)
- System communications protection (SC)
- System information integrity (SI)
Practices
Within the 2.0 framework, 110 practices associated with the various domains are identified at level 3 (a reduction from 171 practices for top-level compliance in CMMC 1.0). At level 1, 17 practices apply for the basic security of covered information systems for the protection of federal contract information. Additional practices at level three from NIST SP 800-172 have not yet been agreed upon.
Capabilities
CMMC 1.0 referenced capabilities explicitly, but these references were removed from 2.0. However, organizations should still consider their capabilities to ensure that cybersecurity is included in their risk management operations, strategies, and practices.
The capabilities in 1.0 are included within each domain from NIST SP 800-171. These capabilities provide goals for what a company should strive to achieve to ensure that it can maintain its cybersecurity posture and cyber hygiene for the protection of sensitive information. While they are not explicitly referenced in 2.0, they still provide important goalposts for contractors and subcontractors.
Processes
While processes held a significant role in CMMC 1.0, they have been removed as a requirement in 2.0. For clarity purposes, maturity processes demonstrate the progress toward a cybersecurity goal and can include policies, management of security issues, reviews, and workflows to mitigate cyber risks.
Assessments
Framework 2.0 establishes assessment requirements based on the information’s sensitivity. Level 1 contractors who handle sensitive information that is not deemed to be critical to national security must perform annual self-assessments according to clear cybersecurity standards. Level 2 contractors who manage information deemed to be critical to national security must undergo third-party assessments. Those at level 3 who handle critical defense program information of the highest priority must undergo government-conducted assessments. The third-party and government-conducted assessments required for level 2 and level 3 will be conducted triennially.
To ensure that your organization protects controlled unclassified information, you must determine where you are storing it and how it will be transmitted. This requires you to correctly identify the information and where it resides in your network. If your contract doesn’t specify the information that needs to be protected, you should request clarification.
Once the data has been identified, you will need to establish your scope for achieving and maintaining compliance. You can complete a gap analysis to determine how you are currently handling sensitive data and the areas in which your company needs to improve either on your own or with the help of a CMMC consultant. This can allow your organization to implement a remediation plan so that you can reach your requirements for the necessary level. By working through the remediation plan, your organization can be prepared for its annual self-assessment, a third-party assessment, or a government-led assessment.
If your company will conduct annual self-assessments, you will need to submit a spreadsheet documenting two controls you use to meet each requirement based on your business’s processes and its IT environment. You can submit a plan of action and milestones to demonstrate that your company is moving towards achieving compliance as 2.0 is rolled out.
For a third-party assessment, the auditor will review assessment objectives based on parameters that explain the objective’s function or performance to determine the effectiveness of the control. You will need to prepare documentation about the mechanisms your company has deployed to meet the assessment objective. The auditor will access your facility, documentation, systems, and personnel to verify your processes are compliant.
Waivers
The Department of Defense has said that it will allow limited waivers from the requirements for certain mission-critical acquisitions. However, these waivers will require approval from senior leadership in the Department, and they will be limited in duration.
Preparing for the rollout of Cybersecurity Maturity Model Certification 2.0 is critical for DoD contractors. Understanding the certification requirements at each level can help you to bring your current cybersecurity posture to the place it needs to be so that you can continue bidding on and participating in DoD contracts. To learn more about the Cybersecurity maturity Model Certification 2.0 and its differences from version 1.0, contact us for more information.
