CMMC 2.0: DoD Contract Requirements for Defense Contractors

If your business works in the DoD supply chain, you will need to prove your CMMC compliance.

The New Standard

If you are a U.S. Department of Defense (DoD) contractor, you may be subject to the Cybersecurity Maturity Model Certification (CMMC) requirements. This standard outlines the cybersecurity requirements for DoD Defense Industrial Base (DIB) contractors in protecting sensitive information stored on their servers. For contractors who store or process Controlled Unclassified Information on DIB networks and servers, maintaining compliance with these requirements is necessary to protect this data from unauthorized access and misuse. At Meriplex, our skilled and knowledgeable team of technical experts can provide the support and assistance you need to implement a Cybersecurity Maturity Model Certification program to keep your data secure and protect your DoD contracts now and in the future.

What is CMMC?

The Cybersecurity Maturity Model Certification program is designed to provide a framework for maintaining security for the entire DoD supply chain — primarily for DoD contractors and subcontractors who handle Controlled Unclassified Information (CUI) and Covered Defense Information (CDI). CMMC establishes parameters for safeguarding this information by instituting cybersecurity measures and managing access to CUI and CDI in an efficient and strategic way.

Understanding the basics of CMMC can be challenging for your IT team and operations. However, working with a company with proven experience in cybersecurity measures and implementations can often allow you to manage Department of Defense requirements and achieve a higher level of protection for the data entrusted to your care. Meriplex can help you design a program to manage cybersecurity for CDI and CUI while remaining in compliance with all the provisions of CMMC.

Why is CMMC Important?

Even though the data included in CUI is not subject to the same strict controls as classified information, protecting the confidentiality of this data is essential to the national security interests of the United States. According to the Defense Counterintelligence and Security Agency, however, unauthorized access to CUI can provide information to the enemies of the United States, which can translate directly into higher risks to our national security. Therefore, adequate and appropriate security is required when handling or maintaining CUI.

CUI and CDI stored in the Defense Industrial Base can be attractive targets for cyberattacks. While contractors have always been required to demonstrate that they are maintaining adequate security for this data, the framework and levels provided by the Cybersecurity Maturity Model Certification can create a standard for managing security and greater consistency in cybersecurity measures across the spectrum of DoD contractors. Additionally, this CMMC certification can improve cybersecurity for companies across the Defense Industrial Base by providing a verifiable assessment platform.

As far back as 2010, Executive Order 13556 defined CUI and provided some very general guidelines for protecting this information against cyber threats and unauthorized intrusion. In 2017, the DoD announced a requirement for defense contractors to self-assess their cybersecurity measures against the National Institute of Standards and Technology (NIST) requirements as outlined in the NIST 800-171 standard. While these self-assessments did represent a step forward in protecting CUI, the development of CMMC in 2019 marked a new stage in protecting this data against losses and unauthorized access by those with malicious intent.

CMMC 2.0 is expected to become part of standard defense contracts with organizations by May 2023. This streamlined standard will consist of three basic levels and will require more contractors to obtain third-party assessments of compliance to maintain their relationships with the Department of Defense and other government agencies. For contractors who will be subject to the requirements of CMMC 2.0, seeking help now from Meriplex can be a positive step in the right direction and can ensure compliance from day one of this new standard for cybersecurity.

Maintaining CMMC Compliance With NIST 800-171

The security controls required to stay in compliance with the CMMC were initially outlined in NIST Special Publication 800-171. However, self-assessment and certification of compliance with the NIST 800-171 standard have been required of many defense contractors since 2017. NIST 800-171 consists of 110-plus controls divided into 14 separate categories. All defense and government contractors were required to achieve Level 1 compliance with 17 basic practices. Higher levels of access required compliance with higher levels of cybersecurity and, in some cases, third-party assessments of the degree of compliance and the security afforded to CUI and CDI by these contractors.

By implementing the recommendations and requirements of NIST 800-171 into the measures taken to protect sensitive data, contractors can build a framework for compliance that will allow for improved security now and in the future. Meriplex can assist your company with NIST 800-171 compliance and can provide you with expert guidance on the best ways to implement a structure to protect sensitive data from misuse and unauthorized access. Creating a plan for compliance with NIST 800-171 is the first step toward securing information and maintaining your eligibility for contracts with the Department of Defense.

Why Use a Maturity Model?

Maturity models are used in project management to offer consistent benchmarks and frameworks for measuring growth and progress in a specific area. Maturity models establish a series of levels through which organizations can progress. This tiered approach to adopting new technologies and implementing standards can allow companies to upgrade their processes in a much more efficient and effective way.

Maturity models generally provide a starting point for companies to begin their improvement process. This represents a baseline from which organizations can create consistent gains in their security arrangements. As the contractor becomes more familiar with best cybersecurity practices, they will advance through the various levels of compliance and expertise to create a much more secure environment for the data in their possession. Working with Meriplex can streamline the process of adopting these maturity models and achieving full compliance with NIST 800-171 and the provisions of this certification for increased opportunities with the Department of Defense.

Using a maturity-model framework for this certification will allow companies to roll out their cybersecurity implementations in a progressive way. If your company will be subject to the provisions of CMMC 2.0, beginning the process of working through the requirements now can put you in a better position when this standard goes live sometime in the future.

CMMC 1.0 vs. CMMC 2.0: What Changed?

Since the initial announcement of the Cybersecurity Maturity Model Certification in 2019 and its inclusion in Department of Defense contracts starting in November 2020, efforts have been made to create a more streamlined approach to cybersecurity for contractors. CMMC 2.0 is the result of these enhancements and will likely go into effect in 2023.

1. Timelines: The DoD is estimating a rulemaking period of up to 24 months. During this time, DoD sources recommend that contractors adopt and implement NIST 800-171 to boost their Supplier Performance Risk System self-assessment scores. Early adoption of CMMC 2.0 could allow organizations to qualify for incentives from the DoD. Currently, the 2.0 version is scheduled to be included in contracts starting in May of 2023.
2. Fewer levels: Rather than the five levels included in the first Cybersecurity Maturity Model Certification, CMMC 2.0 will have only three tiers. Level 1 will continue to be the foundational level. Level 2 (Advanced) will be equivalent to Level 3 in the original configuration. Finally, Level 3 (Expert) will correspond to the current Level 5.
3. Third-party assessments: Contractors who manage CUI deemed critical to the national security of the United States will now be required to undergo a third-party assessment. All Level 2 assessments will be performed by third parties rather than completed as self-assessments by contractors.
4. Expanded application: Initially, only prime contractors were required to adhere to the Cybersecurity Maturity Model Certification provisions. The arrival of CMMC 2.0, however, will require contractors at other levels to obtain third-party assessments and comply with the requirements outlined in this certification.
5. Annual affirmations: A senior official at the contracting firm must issue an affirmation of compliance with the provisions of CMMC as part of the requirements of 2.0. This will provide some much-needed accountability for compliance with these cybersecurity requirements and allow contractors who misrepresent their efforts to be penalized for these actions.
6. Defining terms: While the overall effect of CMMC 2.0 is to streamline the process of upgrading and maintaining adequate cybersecurity protections for CDI and CUI, the provisions of NIST 800-171 will require 49 of the 110 control items to be defined and included as part of the implementation process. The net effect of this change to the standard will be to create greater rigor and consistency in managing the cybersecurity requirements of the 2.0 version.
7. Waivers: Most defense contractors will not receive waivers for the elements outlined in version 2.0. This will reduce the need for a remedial plan of action and milestones (POA&Ms) that were sometimes allowed for companies that failed to achieve satisfactory scores during the Cybersecurity Maturity Model Certification process.

The new standards will undergo scrutiny and rulemaking procedures before becoming mandatory for government contractors. Both Title 32 CFR and Title 48 CFR rulemaking will be required to ensure that 2.0 works as required and that all elements of the program are in accordance with the existing guidelines and frameworks for defense contracts and contractors.

CMMC Timelines

The precise timeline for compliance with these cybersecurity standards for government contractors is not yet known. In general, the Cybersecurity Maturity Model Certification program was first announced by the U.S. Department of Defense in June 2019, released as a model document in February 2020, and published as an interim rule in September 2020. The interim rule received numerous comments and was restructured as CMMC 2.0 in November 2021. The Department of Defense has announced that it will submit certification for the program to the Office of Management and Budget sometime in January 2023. This is later than previously estimated and could lead to delays in the March 2023 estimate for the issuance of interim final rules for cybersecurity by the Defense Department.

CMMC Framework

The framework for this cybersecurity program generally consists of four primary elements, which are listed and explained below:

• Domains: In the cybersecurity arena, domains are defined as sets of security practices that share attributes, and can be grouped together for purposes of data protection. Access control, risk assessment, incident response, audit and accountability, physical protection, and system communications protection are all domains that should be addressed when implementing these programs. Creating plans in accordance with the NIST 800-171 standard to manage these areas of cybersecurity will allow you to maintain compliance as a contractor.
• Practices: With 17 practices required at Level 1 and 110+ practices necessary to achieve Level 3, implementing the right cybersecurity practices can be the key to compliance with NIST 800-171 and the other requirements of this cybersecurity certification.
• Capabilities: While present in the first version of CMMC, this part of the framework has been removed for the new version. NIST 800-171 does reference capabilities, defined as the knowledge base, workflows, tools and talent pool of the organization employing these frameworks. The knowledge and experience of the cybersecurity team will determine the speed with which contractors can move up the levels within this program.
• Processes: Just as capabilities were removed in the revised version of CMMC, so were the processes. For reference, maturity processes demonstrate the progress toward the cybersecurity goal. This includes setting policies, documentation of the policies and steps taken to implement them, the active management of security issues, ongoing reviews, and continued optimization of the workflows and measures taken to manage cybersecurity throughout the organization.

Outsourcing your compliance requirements to Meriplex can allow you to easily adopt this cybersecurity framework for your contracting firm. We can tailor an approach that will prevent CUI data breaches and protect this information in the most proactive way possible.

CMMC Levels

Level requirements are based on the type of information DIB companies are capable of handling. The level required for each contract will be included as part of the RFP for the contract, which will also include information on reporting compliance with these requirements. The first version of CMMC consisted of five basic maturity levels representing stages of required security for the information safeguarded by contractors:

• Level 1: This minimal level of protection applies to contractors who deal with Federal Contract Information (FCI) not intended for public release.
• Level 2: Level 2 compliance is required for contractors who transmit or otherwise have access to CUI.
• Level 3: Contractors require Level 3 protection for managing, storing, or extracting data from CUI. At this level, contractors must actively protect CUI from unauthorized access.
• Level 4: Proactive measures and risk assessment strategies must be implemented to protect CUI and prevent possible threats to this information.
• Level 5: Advanced and progressive cybersecurity methods are required to achieve Level 5 status and protect contractors’ data. Optimization of security is required on a general and ongoing level.

Under 2.0, the number of levels has been reduced from five to three to reflect the actual requirements for protecting CUI from unauthorized access and misuse.

• Foundational: Level 1 of the new requirements continues to apply to companies with access to Federal Contract Information that is not for release to the general public. Most companies at this level can demonstrate compliance in an ad-hoc manner.
• Advanced: Level 2 applies to contractors handling national security data. Third-party assessments of compliance are required every three years for contractors who handle information deemed critical to national security. Companies that handle non-critical information related to national security, by contrast, are required to perform an annual compliance self-assessment.
• Expert: Contractors who access and handle CUI for high-priority programs in the Defense Department must institute cybersecurity measures that comply with Level 3 or Expert requirements.

Working with a trusted cybersecurity firm can allow contractors to institute the right measures for protecting CUI and maintaining eligibility for contracts with the Department of Defense and other government agencies.

Supply Chains and Contractactors

The requirements applicable to contractors can also apply to vendors and other elements of the supply chain. The various links in your supply chain should protect CUI and remain in compliance with the requirements and standards set forth by the Defense Department for your data. Working with a firm that specializes in compliance with these cybersecurity requirements can also allow your business to maintain adequate levels of security for vendors and other elements of your supply chain.

The Assessment and Accreditation Process

Qualifying for Cybersecurity Maturity Model Certification will likely take place in four stages as outlined in a draft published by the Cyber Accreditation Body on July 26, 2022:

• Phase One: Planning and preparing the assessment is Phase One of the assessment and accreditation process. Depending on the contract’s requirements, the assessor services of a CMMC Third Party Assessment Organization (C3PAO) may be retained during Phase One to perform all necessary third-party assessments for defense contractors and other organizations.
• Phase Two: The second phase involves performing the assessment. The C3PAO or self-assessment team will evaluate the documentation and performance of the contractor to determine whether the requirements have been met or not met. The results will be tallied and scored to determine whether certification is appropriate for the company.
• Phase Three: Also known as the reporting phase, Phase Three is the stage at which the  self-assessment results or third-party assessment are submitted to the Defense Department’s Enterprise Mission Assurance Support Service.
• Phase Four: Organizations seeking certification will typically have 180 days after the Assessment Final Recommended Findings Briefing to select a C3PAO and to conduct the close-out assessment.

This process will likely change before the new requirements go into effect sometime in 2023 or 2024. However, working with a company that specializes in cybersecurity, will continue to be a practical method for passing these assessments and maintaining eligibility for Defense Department contracts.

CMMC Consulting Services

Companies that offer assistance with cybersecurity compliance can offer practical remediation services that include the following:

• Assessing your current cybersecurity posture and creating a gap analysis that can help you stay in compliance with Defense Department requirements for your organization and subcontractors
• Designing your cybersecurity arrangements and ensuring that they are compliant with all applicable requirements
• Providing ongoing monitoring and compliance management for your company and your CUI
• Maintaining readiness for audits and other assessments with relevant documentation of your cybersecurity measures and activities
• Creating reports that will demonstrate compliance and will show progress toward any goals outlined by your organization or by your contract partners

The companies that provide these CMMC compliance consulting services are typically Registered Provider Organizations (RPO).

Maintaining Continued Compliance

Once you have established compliance with all cybersecurity requirements for certification, it is essential to remain in compliance. Working with a qualified and knowledgeable cybersecurity services provider will typically provide you with added help in maintaining your eligibility for contracts with the U.S. Department of Defense now and for the future of your organization.

Are You Prepared for a CMMC Assessment?

At Meriplex, we offer practical help in preparing for CMMC requirements now and as these standards evolve. To learn more about the CMMC readiness services we offer and how we can help you manage your Defense Department contract compliance, contact us online or by email at connect@meriplex.com. We are here to help you manage all aspects of compliance for managing cybersecurity for CUI throughout your organization.