Many IT and cybersecurity professionals working at or for solely civilian businesses aren’t aware of the Cybersecurity Maturity Model Certification (CMMC). But if an organization works with the government and the Department of Defense, particularly, they will soon be required to meet the requirements set forth in the CMMC. As the cybersecurity landscape constantly changes, so too do the standards that represent the best practices within the industry. So, what are the latest changes to the CMMC program, and how should organizations respond to ensure they maintain compliance? Read on to learn more.
What Is CMMC?
As previously mentioned, the Cybersecurity Maturity Model Certification (known as the CMMC) is a collection of guidelines by which companies who seek to or are in contract with the Department of Defense must abide by to protect the contractors’ systems from being compromised. This, in turn, protects the DOD from potentially having related sensitive information captured by malicious actors. Companies who enter contracts with the DOD are part of the Defense Industrial Base, or DIB. The DIB contains over a quarter of a million companies. By implementing a DIB-wide standard for cyber-defense protocols that each company must follow, the DOD can ensure that the most up-to-date and effective practices are uniformly used to protect the agency and the companies’ information technology systems.
A primary objective of these standards is to require contractors and subcontractors to engage outside, third-party vendors to conduct assessments on the contractors’ information technology systems to assess their compliance with the industry-standard requirements and best practices to minimize and remediate their vulnerabilities to cyber threats.
The level of compliance required by the CMMC program is based first and foremost on the type of information the contractor will handle. Some of the various data types covered include:
- Controlled Unclassified Information – (CUI) is sensitive information related to DOD activities or contracts that requires safeguarding but is not classified. CUI cannot legally be made public. CUI is further broken down into CUI and “Critical CUI” for the most sensitive but still unclassified information.
- Federal Contract information (FCI) – FCI is information that is not marked as public or for public release and is subject to minimum cybersecurity requirements. While not as sensitive as CUI, it must still be protected.
- Controlled Technical Information – (CTI) is technical information that must be protected and cannot be disseminated publicly. Engineer drawings, data, software, and technical reports are all examples of CTI
- Covered Defense Information – (CDI) is a general term that covers CUI and CTI.
Based on the type of data that will be handled, the company must meet a certain level of compliance. The level of required certification will generally be determined by the requirements of the DOD contract. Once the rule making process is complete, most prospective contractors and subcontractors will be required to meet CMMC requirements to a specific extent in order to be awarded and to fulfill the contract with the DOD.
Updates to CMMC
The initial CMMC release was in January 2020, when the DOD released its 1.0 version of the program. Organizations were given a five-year deadline to meet the compliance requirements of CMMC 1.0. Since then, the DOD has released an updated version, aptly called CMMC 2.0.
This updated program addresses rising cyber threat concerns by providing further guidelines for protecting sensitive information, promotes greater collaboration between stakeholders in maintaining the cybersecurity of the DOD and contractors/subcontractors, and seeks to level the field so that contractors and subcontractors can more easily meet the requirements of the CMMC.
Several changes are of note in the CMMC 2.0, specifically to the levels of compliance that have been truncated and modified. Instead of five tiered levels of compliance (Basic, Intermediate, Good, Proactive, and Advanced), there are now only three levels of compliance: Foundational, Advanced, and Expert. Changes to these levels consist of the following:
- Instead of Foundational, or Level 1, contractors and subcontractors being required to engage third parties to perform assessments on their systems, companies on this level and some companies on the Advanced level can perform internal assessments annually on their systems to prove compliance with the program. This removes some of the complexity for companies to meet Level 1 compliance. Still, companies need to meet 17 cybersecurity best practice requirements to be in Level 1 compliance.
- Instead of having a transitional Level 2 and a Level 3 for compliance, there is now just a Level 2, which is the equivalent of Level 3 in the initial CMMC framework. Companies required to achieve CMMC Level 2 will be required to comply with 110 cybersecurity practices that are all closely based on the existing NIST 800-171 controls. Most companies compelled to comply with level 2 will be required to retain a CMMC Third-Party Assessor Organization (C3PAO) to perform their assessments in order to gain certification. That assessment will need to be repeated every three (3) years with annual self-assessment on the years in-between. However, some contractors may be able to achieve Level 2 certification without a third-party assessment if their contract is a part of certain select programs.
- Contractors and subcontractors on the Expert level, or Level 3 (formerly Level 5), must have an assessment performed on their information technology systems every three years, which must be government-led. This is a change from CMMC 1.0, in which it was required that companies have assessments conducted by a CMMC Third-Party Assessor Organization. Organizations achieving certification at this level will need to comply with all of the controls in Level 2 as well as a suite of additional controls based on a subset of the requirements of NIST 800-172.
CMMC 2.0 also now allows some companies under select contracts to request waivers – to be time-barred and require higher DOD approval — for compliance with the CMMC. Similarly, some companies may be able to submit Plans of Action and Milestones to meet compliance, and such lack of compliance will not bar these companies from being awarded certain contracts. There will also be improved oversight of C3PAOs to ensure they’re operating professionally and ethically.
What Organizations Need to Do
It was recently released by the DOD that they plan to issue an interim rule about CMMC 2.0 by May 2023. If the framework is approved, the DOD may begin implementing CMMC 2.0 compliance as a requirement in contracts by July, 2023. At that time, your organization will need to achieve certification in order to bid on or be selected for those contracts.
To make sure your organization is eligible to win that business, you will need to assess your current security posture and the security protocols that you’ve already implemented. It’s also important that your company gathers the appropriate information related to your current or desired contract with the DOD to determine which level of compliance per the new version of the CMMC you need to have.
Hiring a dedicated cybersecurity firm to help assess the security of your organization can ensure that all facets of your security protocols are examined, and weaknesses are addressed. Conducting these assessments internally, (even if your organization’s level allows it to do so) can lead to disruptions in your work if you’re devoting significant resources to perform the assessment. Additionally, because you’re familiar with your security standards, you may inadvertently overlook some measures that may need to be improved upon and could miss vital updates that may be made further to the CMMC framework.
The cybersecurity professionals at Cyber74 have a deep understanding of the updated CMMC 2.0 program, with several of our experienced executives being CMMC Registered Providers. Because the CMMC framework is still evolving, staying informed about the latest requirements can be daunting. At Cyber 74, we have the dedicated resources to make sure we are fully informed and prepared to navigate the complex CMMC landscape. Contact us today to discuss the changes made to the CMMC and how we can help you reach or maintain the compliance you need to stay competitive in the DOD marketplace.