Cybersecurity Maturity Model Certification is a framework launched in 2020 by the US Department of Defense (DoD) to protect the defense industrial base, and the CUI – controlled unclassified information – within it from cyber-attacks. All DoD (sub-) contractors will have to earn their CMMC in order to be awarded DoD contracts with the use of or access to CUI. We write in future tense because as it currently stands, CMMC is in the pilot phase and only select contracts are requiring compliance.
There are currently 5 (but soon to be 3 – see below) levels of CMMC, each representing a level of data security a DoD supplier provides. Depending on the government needs in question, the DoD will only partner with organizations or providers with the certification level deemed appropriate for that specific need.
Again, it is important to note that we are now still in the roll-out phase of CMMC, and that a new version of CMMC, the so-called CMMC 2.0, is already underway. What this means is that not all DoD contracts have begun requiring CMMC, but that it is crucial for suppliers (or future suppliers) to start preparing for certification now.
The difference between the CMMC and DFARS
Up until 2020, before the roll-out of the CMMC, DFARS, or the Defense Federal Acquisition Regulation Supplement, was the golden standard and requirement for assessing if contractors protected data, specifically CUI, sufficiently.
With increasingly sophisticated cyberattacks came a need for more complex data protection – enter CMMC.
The CMMC expands on the DFARS, and they both use the NIST 800-171 security framework as their basis (CMMC 2.0 will also pull from NIST 800-172).
Both the CMMC and the DFARS were put in place for any contractor who handles, stores or transmits controlled unclassified information. The main differences between the two are the introduction of levels of compliance in the CMMC (there were none in the DFARS), and how compliance is assessed and granted.
Whereas the DFARS is a system of guidelines for self-assessment, the CMMC requires most assessments – this depends on the level – to be conducted by a C3PAO (3rd party assessment organization).
Another difference is that while a DoD supplier is only required to submit their NIST 800-171 assessment scores once under DFARS, the CMMC is an ongoing process. Certification will need to be re-assessed every 1–3 years (depending on level).
It may seem – and it was even the plan initially – that the CMMC replaced the DFARS, but that is not the case. They currently co-exist in harmony.
While already complying with DFARS will certainly make getting a CMMC level easier, it isn’t guaranteed. The two are not mutually exclusive – complying with one does not necessarily mean compliance with the other. Some CMMC levels don’t include all DFARS requirements, and some go beyond DFARS.
Why are there two versions of the CMMC?
Because of the complexity and financial burden of getting certified, where even the most basic certification level required undergoing an assessment by a C3PAO, many small and medium businesses expressed concern following the CMMC’s announcement.
With the certification process being such a long and expensive undertaking, many small and medium businesses wouldn’t have been able to undergo the certification process, effectively keeping them out of the running for DoD contracts.
For this reason, the DoD revamped the original CMMC into a more streamlined, simpler version, the CMMC 2.0. It takes small and medium businesses into consideration and fixes some of the issues of the earlier version.
CMMC 2.0 has already been published, but rulemaking is still “under construction” and is expected to be finalized in May 2023.
Once CMMC 2.0 it is ready, it will be mandatory in all DoD contracts.
As we will explain below, the preparation phase of the certification process can take up to or even over a year (in the case of level 3), so it is crucial for all DoD suppliers and potential suppliers to start thinking about the assessment process sooner rather than later.
What are the differences between CMMC 1.0 and CMMC 2.0?
|5 levels of compliance||3 levels of compliance|
|Includes maturity processes||Does not include maturity processes|
|3rd party assessment for even the most basic level||Self-assessment for basic level|
|POAMs not accepted||POAMs accepted|
The most visible difference between CMMC 1.0 and CMMC 2.0 is that the new CMMC will have fewer levels of compliance – 3 instead of the original 5 – and some requirements have been dropped.
Maturity processes have been completely taken out of CMMC 2.0. More on those below.
Very importantly, the most basic level will not require an external agency to do the assessment, making it easier and less expensive for small and medium businesses to receive their Level 1 certification.
CMMC 2.0 will also allow Plans of Action and Milestones (POAMs) which is basically a plan a supplier can submit detailing how it will meet some of the 1-point criteria of the CMMC, as a sort of waiver while applying for a certification without actually having met all the criteria yet. POAMs are another way the DoD aims to make it easier for suppliers, especially those smaller ones, to receive their certification.
A POAM will not be accepted for any of the 3- or 5- point requirements on the CMMC 2.0, and there will be a strictly enforced limit on how many POAMs can be used and the time limit in which they need to be fulfilled.
CMMC 1.0 did not have this mechanism and worked strictly on a “yay or nay” basis.
CMMC compliance levels (2.0 vs 1.0)
We’ve mentioned that the CMMC 2.0 will have fewer levels than the CMC 1.0. Three, to be exact. So let’s compare CMMC 1.0 compliance levels with CMMC 2.0 levels, because there are similarities and differences that suppliers need to understand.
CMMC 1.0 levels and maturity processes: A bit of a mess
CMMC 1.0 has 5 levels. The requirements at each level increase progressively and consist of certain standards from NIST 800-171 as well as CMMC-unique standards.
But it doesn’t stop there. There are also maturity processes that need to be adhered to in order for the level to be achieved:
- The CMMC 1.0 level 1 process is “performed”, meaning the supplier has simply performed the security process required.
- At CMMC 1.0 level 2, the “documented” process means that practices are not only performed, but that policies and plans are established for performing those processes.
- The “managed” process of CMMC 1.0 level 3 requires that all practices are reviewed for adherence to policies and plans.
- At CMMC 1.0 level 4, the “reviewed” process calls for the assessment of the effectiveness of those practices.
- Level 5 of CMMC 1.0 calls for “optimizing”, a process in which implementation of practices is standardized within all parts of the organization and improvements are shared among them.
Levels 2 and 4 of CMMC 1.0 are meant as transition levels, making the already complicated framework even more challenging to understand.
CMMC 2.0 levels: Simplified and streamlined
CMMC 2.0 has no such thing as maturity levels, and they’ve also done away with CMMC-unique requirements and transition levels. Every requirement within the CMMC process is taken from the underlying NIST 800-171 and NIST 800-172 frameworks, each level building on top of the other.
There are only 3 levels of compliance in CMMC 2.0 – no more transition levels. They are:
- CMMC 2.0 Level 1: Foundational
CMMC 2.0 level 1 is the same as it is under CMMC 1.0 and includes 17 cybersecurity practices. This level is intended for DoD suppliers that do not handle information that is critical to national security.
Assessment type: Annual self-assessment.
- CMMC 2.0 Level 2: Advanced
Level 2 certification will indicate that an organization is competent in securely storing and sharing CUI and will apply to the majority of DoD suppliers. It is similar to CMMC 1.0 level 3. There are 110 cybersecurity requirements at this level and they are all set out in NIST 800-171.
There are two sub-groups in this level based on whether or not the information being handled by the supplier is critical to national security.
Assessment type: There are two at this level – suppliers not handling information critical to national security perform an annual self-assessment (this is expected to be applicable to only a very a small portion of level 2 suppliers). Suppliers who handle critical information need to undergo a third-party assessment every 3 years.
- CMMC 2.0 Level 3: Expert
This level will be intended for a relatively small number of DoD suppliers that work on the DoD’s highest priority programs. It is comparable to CMMC 1.0 level 5. The requirements are a combination of the 110 standards of the NIST 800-171 and a subset of NIST 800-172 controls.
The aim at CMMC 2.0 level 3 is to reduce the risk of Advanced Persistent Threats.
Assessment type: Assessment by government official every 3 years. The assessment guide for level 3 is still being developed, so there is currently no detailed information on the exact structure of it.
CMMC assessment process
In order for a supplier to get their certification, they have to undergo the assessment process, which starts long before the actual assessment.
Since most contractors will need to get a minimum CMMC 2.0 level 2 certification, there is preparation involved that will take up to a year. For level 1, the pre-assessment phase will likely take 2–3 months.
Best practice is to start out with a gap analysis of the current state of cybersecurity practices at the supplier in question, followed by the implementation and pre-assessment phases. It is a good idea to use the services of a CMMC Registered Practitioner Organization (CMMC-RPO) for these phases.
A CMMC-RPO is an organization that has been certified by Cyber AB, the official authorization body of the CMMC, to consult and guide suppliers during their preparation for the CMMC assessment.
The actual CMMC 2.0 assessment is done either as a self-assessment for level 1 and part of level 2, a C3PAO assessment for most of level 2, or a government-lead assessment for level 3.
A 3rd party assessment is conducted by a C3PAO of the supplier’s choice over the course of several weeks and is followed by the C3PAO writing up a report that it provides directly to the DoD.
For CMMC 2.0 level 3, a government-lead assessment will be required. Details for this type of assessment are still being drawn up by the DoD.
The time to prepare for CMMC is now!
The CMMC is something any potential DoD contractor needs to think about long before they even start thinking about submitting a proposal to a RFP, so even though the final CMMC 2.0 rule isn’t out yet, the time to act is now. Getting your systems ready for the assessment takes months, and, in the case of a level 3 assessment, even over a year from start to finish.
How Safetica Helps you to Comply with CMMC
Allows you to create and apply security policies
Safetica makes it possible to monitor user operations across an entire organization. It can recognize and classify CUI and FCI and provide reports on how data is processed.
Based on Safetica’s data classification, you can apply DLP policies, and thus enforce designated security policies and desired user behavior when users interact with sensitive or confidential information. Your data will not be sent via e-mail, copied to uprotected device, or uploaded to personal cloud storage.
Classifies your data and performs security audits
Safetica allows configurable and customizable data classification. Safetica performs data security audits and provides a detailed overview of sensitive data flow and storage. The subsequent data classification protection levels are configurable as well, and allow silent logging, user notification, or enforced restriction of selected user operations.
Notifies you about security incidents
Safetica’s real-time email alert system notifies you immediately in case of a security incident. It provides sufficient detail so you can assess the impact of the situation and take follow-up actions. Based on the extensive audit, you can identify the depth of the breach, the sensitive documents concerned, and the individuals affected.