What is the CMMC (2.0)? New DoD Guidance for Security Compliance

A common concern being expressed by the general public and the United States government is the state of cybersecurity and the strength of the country’s ability to protect itself against a cybersecurity attack from within and without the United States. In response to this concern, the Department of Defence (DOD) has been working on the Cybersecurity Maturity Model Certification (CMMC) program.

On December 26, 2023, the DOD published v2.0 of the proposed policy rule for the CMMC.

This is part of the DoD’s initiative to improve security within the defense industrial base, or DIB. If you are not familiar with the DIB, it is defined as “the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts to meet U.S. military requirements.”

The model incorporates the security requirements from:

1. FAR 52.204–21, Basic Safeguarding of Covered Contractor Information Systems, for a Level 1 assessment.
2. NIST SP 800–171A, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, for a Level 2 assessment.
3. A selected set of the requirements from NIST SP 800–172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171, for a Level 3 assessment.

A Level 1 assessment covers information protection requirements for Federal Contract Information (FCI). Level 2 and Level 3 assessments cover information protection requirements for Controlled Unclassified Information (CUI). The assessment processes for Level 1 and Level 2 assessments have been defined. The Level 3 assessment processes have not yet been defined.

When Will the CMMC Program Be Effective?

Per the CMMC proposed rule v2.0, Section 170.3 Applicability, phase 1 begins on the “effective date of the CMMC revision to DFARS 252.204-7021.” This is expected to be at the beginning of 2025.  Phase 1 includes CMMC Level 1 and Level 2 self-assessments for whichever applies to the defense contractor.  Phase 2 begins six months following the start of Phase 1.  With phase 2, the DoD will add CMMC Level 2 certification assessment requirements to all applicable contract awards. Overall, there are four implementation phases with phases 1 and 2 being the most relevant at the current time due to their effective dates proximity.

 

Understanding Cybersecurity Maturity

Because the DoD CMMC is designed to evaluate an organization’s cybersecurity maturity, it is important to have a basic understanding of what cybersecurity maturity is. Essentially, cybersecurity maturity is the level of sophistication an organization has achieved with regard to the implementation of cybersecurity policies and practices (including technical implementations). The CMMC model also consists of 17 security domains that primarily originate from the Federal Information Processing Standards (FIPS) Publication 200 and NIST 800-171 control families. The domains are identified below:

• Access Control (AC)
• Audit and Accountability (AU)
• Awareness and Training (AT)
• Configuration Management (CM)
• Identification and Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Personnel Security (PS)
• Physical Protection (PE)
• Risk Assessment (RA)
• Security Assessment (CA)
• System and Communications Protection (SC)
• System and Information Integrity (SI)

Each of these domains contains practices that a defense contractor must have in place in order to achieve the overall domain.  For example, a practice statement under the domain Access Control is “Control the flow of CUI in accordance with approved authorizations.” A Level 1 assessment includes a subset of the above domains and practices within the domains while Level 2 and Level 3 assessments include all domains and practices.

To think about cybersecurity maturity in terms of an everyday activity, equate it to physical hygiene. Are you just brushing your teeth every day, or do you also floss, shower (with soap and shampoo), wash your hands frequently, wash your clothes, comb your hair, etc? From a cybersecurity perspective, do you just have auditing turned on and generating events, or do you know which events are being generated? Are the audit events prioritized? Are they reduced? Are they correlated across multiple hosts and time? Do you protect audit logs from tampering? There is a big difference between just brushing your teeth every day and practicing complete physical hygiene practices – so it is with cybersecurity.

 

What is the DoD Cybersecurity Maturity Model Certification?

The CMMC framework is designed to protect two specific types of data within the DoD supply chain: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Per 48 CFR 52.204-21, FCI is “information provided by or generated for the Government under contract not intended for public release.” Per NIST SP 800-171 Rev. 2, CUI is “information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information…”. Executive Order 13556, issued November 4, 2020, established the program for managing CUI.

Using a tiered approach, the CMMC measures cybersecurity maturity across three levels and aligns the levels with associated security processes and practices. Each of the three levels builds upon the previous level with regard to the number of required practices (or controls) and the maturity of the associated processes. There is a certification component to the CMMC which includes an independent 3rd party assessment to verify the process maturity and practice implementation for a given cybersecurity maturity level.

To achieve certification at a certain CMMC level, an organization must reliably demonstrate the establishment of processes and the implementation of the associated practices (controls) for the associated level. In order to achieve higher levels of certification, organizations must demonstrate compliance with all lower-level processes and practice maturity levels. The CMMC levels are summarized below.

 

What Are the CMMC Levels?

To achieve CMMC compliance at any of the three levels, organizations must demonstrate mature processes and implementation of associated security practices. As you might expect, the degree of difficulty in achieving a certain level increases as the level increases. Below is a summary of each level with regard to its focus, process maturity, and practice maturity.

• Level 1:

• • Focuses on the safeguarding of FCI
  • Consists of the FAR 52.204–21 requirements
  • Aligns with NIST SP 800–171A
  • Includes what would be considered to be the basic cyber practices (17 practices across 6 domains designed to protect covered contractor information systems)
  • Performed as a self-assessment

• Level 2:

• • Focuses on the  protection of CUI
  • Applies to both FCI and CUI
  • Aligns with NIST SP 800–171A
  • Includes all of the cyber practices  (includes 110 practices across 14 domains)
  • Performed by an accredited 3PAO listed on the CyberAB website
  • Performed every three years

• Level 3:

• • Focuses on the protection of CUI against risk from Advanced Persistent Threats (APTs)
  • Applies to both FCI and CUI
  • Under development with details to be provided at a later date.

As FAR 52.204-21 is incorporated into most governmental contracts already, obtaining a Level 1 certification should not require a large amount of additional resources.

 

Who Needs CMMC Certification?

The answer to this question is relatively straightforward. Any organization that supports or provides services to the DoD or is part of the DoD supply chain will be required to obtain a CMMC certification. This includes organizations that provide engineering, research, sustainment, development, etc., of DoD systems, networks, installations, and so forth. Think of these as subservice organizations to the DoD.

The majority of the organizations will be assessed at Levels 1 and 2.

How Do I Get CMMC Certified?

In order to obtain a CMMC certification, organizations must be assessed by a Certified 3rd Party Assessment Organization, or C3PAO. C3PAOs are authorized by the CMMC Accreditation Body (CMMC-AB). You can find this listing of authorized C3PAOs on the CyberAB website. The CyberAB also provides a listing of authorized professionals that can assist you in getting ready to be CMMC certified such as a Registered Practitioner.  A Registered Practitioner is a professional who provides consultative services that include non-certified CMMC advice.  These individuals are not involved in the formal CMMC Assessment process.

Summary

The DoD CMMC is required for all organizations that support the DoD directly or are in the DoD’s supply chain. The CMMC framework consists of three increasingly demanding levels that organizations will be assessed against based on the type of activity performed for the DoD and the classification of the information. Level 1 is a self-assessment performed by the defense contractor.  Level 2 is an assessment to be conducted by a C3PAO authorized by the CyberAB as listed on the CyberAB website.

To complement our FedRAMP and other NIST assessment services, Linford and Company is in the process of becoming an authorized C3PAO. If you have questions on how to prepare for an upcoming CMMC assessment, please contact us.

This article was originally published on 9/8/2020 and was updated on 4/24/2024.