Understanding the CMMC 2.0 Framework & Levels
The DoD has recently simplified its cybersecurity certification in what they are calling CMMC 2.0. Find out more about the CMMC 2.0 framework and levels.
Cybersecurity Maturity Model Certification, often called CMMC, is a program designed by the Department of Defense. It is a standard and certification model for defense contractors handling sensitive agency information.
Before launch, DoD developed many iterations of the program to ensure contractors follow a unifying approach to protect sensitive defense information. Additionally, the standards cover how contractors must handle controlled unclassified data.
CMMC impacts national security and the defense industrial base. The model sets cybersecurity benchmarks and integrates them into the contracting process to ensure resilience against threats. As cyber threats become more sophisticated and pervasive, such a certification model helps safeguard extremely sensitive defense-related information.
Recently, the transition to CMMC 2.0 was announced. CMMC 2.0 reflects an evolution of the standards to enhance defense and protection measures. At the same time, CMMC 2.0 also simplifies the original framework by reducing certification levels and refocusing on more sensitive information.
Cybercrimes threaten the Defense Industrial Base, a network of organizations, universities, and companies that do business with the Department of Defense. Each entity may have a role in designing and producing military weapons systems.
Companies suffer trillions of dollars in losses in the private sector due to cybercrime. The DoD is also susceptible to cybercrime with a breach being particularly threatening to national security due to the data access of each entity.
Cybercriminals and state-sponsored actors are nonstop in cyber warfare activities aimed at breaching security measures. Therefore, all contractors must meet a basic level of cybersecurity measures.
With CMMC, the department can ensure all contractors keep information secure by following the same requirements as regular government staff.
Being a certified contractor gives your organization a competitive advantage over hundreds of thousands of suppliers. In addition, for multi-year contracts, you are better positioned to secure a contract after responding to an RFP.
Proactively seeking certification strengthens your position in other ways beyond contracts and revenue. For example, achieving certification status means your organization is prepared to fight cybersecurity attacks and minimize damages caused by data breaches.
You are protecting your organization’s reputation outside of working for the Defense Department.
A measure of whether defense contractors adequately protect sensitive information is performed using the CMMC framework. In particular, contractors must implement a set of framework components to meet a basic level of certification:
Ensuring this occurs requires following a maturity model. Compliance solutions must be comprehensive and scalable in demonstrating security measures. Furthermore, achieving each maturity level depends on the verifiable implementation of the vital components.
Advancement occurs when defense contractors complete certification requirements applicable to the domains at each level.
The model structure that guides CMMC for organizations should improve cybersecurity measures. Currently, CMMC uses 14 domains that provide the technical capabilities to help you achieve and maintain certification status.
The National Institute of Standards and Technology, NIST, is the former framework for managing the risks of cyber attacks. The Cybersecurity Maturity Model Certification replaces parts of NIST with a streamlined 3-level approach. Requirements of every level must be attained before moving on to successive levels.
CMMC 2.0 refines this approach by focusing specifically on protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Each of the three levels of CMMC 2.0 aligns closely with specific NIST standards to ensure robust protection.
Also called basic cyber hygiene, 15 practices outlined in Federal Acquisition Regular (FAR) clause 52.204–21 practices lay the foundation for contractors who process, store, or transmit federal contract information (FCI).
If your organization wants to meet these requirements, it will not need a third-party certification. Instead, the agency will require you to specify the technology, facility, employees, and any external providers with access to the information.
In essence, you must self-certify yearly under a defense contract that the basic safeguarding requirements are being met.
Receiving certification at this advanced stage means organizations are documenting cybersecurity measures. Mirroring NIST Special Publication 800-171 requirements, these measures align with the 110 practices and 14 domains to protect controlled unclassified information.
Some considerations for having a solid cybersecurity approach include but are not limited to:
To achieve this, you must first identify any gaps that could hinder compliance. For example, you may need to assess existing practices and speak with employees who will work with unclassified information.
Documenting what is needed can help to guide your efforts to ensure CMMC 2.0 readiness. Additionally, third-party assessments by accredited entities may be required every three years to maintain certification. This requirement depends on the level of controlled unclassified information (CUI) being stored, processed, or transmitted.
As detailed in DFARS 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021, the contract dictates what will happen.
In addition to following NIST 800-171, your organization is responsible for creating and maintaining a plan for safeguarding government information. This expert approach is for defense contractors that work with controlled unclassified information on high-priority programs.
Comparable to the previous CMMC model, specific security requirements are still being developed. However, the Defense Department indicates requirements will cover the 110 practices in NIST 800-171 and a subset of 800-172. A DIBCAC audit is also necessary to achieve compliance.
These resources will help to inform goals, resources, training, and all stakeholders involved with the sensitive data. Having a solid infrastructure should not interfere with the service you will provide the agency.
For companies without in-depth knowledge of the CMMC process, it may be beneficial to work with a Registered Provider Organization (RPO) that can deliver pre-gap reviews and strategies for remediation. The following eight steps can ensure that your organization achieves CMMC certification status as a defense contractor with DoD.
The Department of Defense issued the proposed rule for Cybersecurity Maturity Model Certification 2.0 on December 26, 2023. The rollout of CMMC 2.0 is structured to occur in four strategic phases over two and a half years.
Contractors must stay informed about each phase and the evolving requirements. The DoD may adjust timelines and specific requirements, so contractors must remain vigilant to stay compliant and competitive.
Satisfying the assessment requirements set by DoD is crucial to your organization’s success. In addition, you need to demonstrate that your cybersecurity protocols align with the importance of keeping sensitive government information safe and secure.
Meriplex offers consulting services to ensure you meet each level within the CMMC framework. With our certification preparation, you’ll be ready to comply with CMMC 2.0. Our security-first approach ensures that you’ll be fully ready to take all the steps you need to stay up to date on all CMMC 2.0 standards.