The State of CMMC

There have been changes made from CMMC 1.0 to CMMC 2.0, but the newest version has yet to be finalized. This article will detail the current state of CMMC along with recent updates on CMMC 2.0.

CMMC Purpose

Defense contractors and subcontractors working within the supply chain of the defense industrial base have become increasingly targeted for cyberattacks by malign actors that want to gain access to the U.S.’s sensitive national security information. Because of the potential threats to U.S. national security, the U.S. Department of Defense first announced the Cybersecurity Maturity Model Certification (CMMC) program in 2019, which will require companies that contract with the DoD to obtain CMMC certification at an appropriate level to demonstrate they comply with the requirements outlined in the National Institute of Standards and Technology (NIST) special publication 800-171 and Defense Federal Acquisition Regulations (DFARS).

The purpose of CMMC is to ensure that businesses operating within the defense supply chain have strong cybersecurity systems in place to protect controlled unclassified information (CUI). The certification requirements will apply to all companies operating within the DoD supply chain, including contractors that exclusively interact with the DoD and all subcontractors.

CMMC 1.0 vs. CMMC 2.0

CMMC 1.0 was initially announced by the DoD in 2019, and an interim rule was proposed and published in the Federal Register on Sept. 29, 2020. In response to the interim rule, the Department of Defense received more than 850 public comments, leading it to make changes to the CMMC 1.0 program and replace it with CMMC 2.0. On Nov. 4, 2021, the DoD issued a press release announcing that CMMC 2.0 would replace CMMC 1.0 to achieve the following goals:

  • Simplify CMMC compliance by allowing companies to conduct self-assessments at lower levels of certification
  • Apply priorities for the protection of DoD information
  • Reduce barriers to CMMC compliance while ensuring accountability
  • Foster collaboration between the DoD and the DoD supply chain to enhance cyber resiliency and cybersecurity

All companies that contract with the Department of Defense and those that subcontract will have to achieve CMMC 2.0 certification within the established timeframe to continue contracting with the Department of Defense to ensure the safeguarding of CUI and protected federal contract information.

CMMC Levels

CMMC 2.0 collapsed the five levels in CMMC 1.0 into the following three, based on the sensitivity of the information companies handle within their non-governmental information systems:

  • Level 1 – Foundational level at which the organization implements 17 different security practices and conducts annual self-assessments
  • Level 2 – Advanced level at which the organization implements 110 practices in compliance with NIST SP 800-171 and triannual assessments by an approved third-party assessment organization
  • Level 3 – Expert level at which the organization implements 110 practices in compliance with NIST SP 800-171 plus additional practices based on NIST SP 800-172 and triannual government-led assessments

Status of the Final Rule

According to the most recent status update of open DFARS cases, the Department of Defense anticipates that the report on the draft final DFARS rule will be issued on May 10, 2023. However, this timeline is aggressive. The Office of Information and Regulatory Affairs at the Pentagon can extend the deadline by 30 days, which might mean that the initial draft rule might not come until July 2023 or later. Once the initial draft rule is published, the 60-day public comment period will be opened. The rule will not become final until all public comments are answered and addressed. This means that contractors might anticipate that the final rule will be issued by Sept. 2023 at the earliest. This means that CMMC requirements likely won’t begin to appear in federal contract requests for proposal until 2024, but companies should be preparing now for certification to ensure CMMC compliance when the time comes.

How Should Organizations Prepare?

To be successful, organizations should start preparing now for a CMMC assessment if they haven’t already begun the process. They should begin by conducting a gap analysis and implementing steps to remediate gaps in cybersecurity with the goal of achieving the appropriate level.

Before doing anything else, a company needs to determine the appropriate certification level that it will be required to achieve. Many companies will only need to achieve Level 1. However, to determine whether your organization needs to achieve Level 1 certification or a higher level, you should review your contracts and determine which level is most appropriate for your business’s operational needs.

Once you have identified the appropriate level of certification, you should review the appropriate scoping guidance for the one you are trying to achieve. Your company’s scope should include clear definitions of how your assets are classified and the boundaries of your system. Make sure that your scope includes assets that are outside of the scope of the requirements. Your assessment risk increases together with the scope. Make sure you only include areas of your business operations that are necessary when your company contracts with the Department of Defense.

Once you have completed these tasks, your company will need to conduct a gap analysis of your current system against the appropriate assessment guide for CMMC Level 1 or 2 as a mock assessment to identify all gaps that your company will need to remediate before an initial assessment. The assessing organization should provide your company with recommendations so that you can address all gaps that have been identified appropriately. This type of analysis can also help you identify the roles and responsibilities of key team members and the types of evidence your company will need to satisfy requirements.

Companies should anticipate that CMMC preparation will take a long time, which makes it critical for your business to vigorously undertake the preparatory steps. You should be fully prepared for certification long before it is time to submit a proposal. Most companies will need at least six months to prepare, but this can vary based on the maturity of the business’s cybersecurity operations.

While the final rule and its implementation are still some months away, companies must be prepared to meet CMMC requirements and obtain the appropriate certification level. If you would like to learn more about the state of CMMC and the steps your company should take, contact Meriplex for more information.