To better protect the Defense Industrial Base (DIB) from increasingly dangerous cyber threats, the US Department of Defense (DoD) will soon start incorporating the CMMC 2.0 in new solicitations.Â
DoD contractors and subcontractors that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are expected to safeguard sensitive information by adhering to specific practices. Â
This article provides an overview of these required practices and outlines the changes made since the initial release of CMMC 1.0.Â
The Road to CMMC 2.0
The protection of sensitive information against both nation-states and non-state actors is a top priority for the DoD. This includes not only classified data, such as operational and battle reports or research documents, but also various unclassified data, from facility diagrams provided to construction workers to bills of materials for manufacturers.Â
By methodically collecting unclassified data shared by the DoD with contractors, a threat actor can gain useful insights that put national defense at risk.Â
The first comprehensive attempt to solve this problem came in 2017 with the release of the Defense Federal Acquisition Regulations Supplement (DFARS) for DoD contracts, which required all contractors and subcontractors handling CUI to comply with the NIST SP 800-171 framework and its 110 controls.Â
Unfortunately, DFARS failed to deliver the desired results because it relied on self-assessments and allowed contractors to create a Plan of Actions and Milestones (POA&M) for missing controls. The DoD course-corrected by releasing the CMMC 1.0 in 2020, completely abolishing self-assessments and going way beyond the NIST SP 800-171 framework.Â
After an internal assessment of CMMC’s implementation based on the feedback it received from the DIB, the DoD announced the CMMC 2.0 in November 2021.Â
CMMC 1.0 Versus CMMC 2.0
With the CMMC 2.0, the DoD aims to help get the assessment framework off the ground by cutting red tape for small and medium-sized businesses, many of which vocally criticized CMMC 1.0 for requiring too much time, money, and effort given their limited roles in the DIB.
As the image above illustrates, the CMMC 2.0 contains only three maturity levels, down from five in the CMMC 1.0:Â
- CMMC 2.0 Level 1: The first CMMC 2.0 level mirrors the first CMMC 1.0 level, consisting of 17 basic cybersecurity practices for contractors that need to protect FCI but don’t store or process CUI.Â
- CMMC 2.0 Level 2: The second CMMC 2.0 level aligns with the NIST SP 800-171, consisting of 110 cybersecurity practices for contractors that store and process CUI.Â
- CMMC 2.0 Level 3: Finally, the third CMMC 2.0 level is based on the NIST SP 800-172, consisting of over 110 cybersecurity practices for contractors that store and process the most sensitive CUI.Â
In contrast with the original assessment framework, which didn’t allow any self-assessments whatsoever, the CMMC 2.0 lets Level 1 contractors conduct annual self-assessments. For select programs, Level 2 contractors can also conduct annual self-assessments, but otherwise they’re required to pass third-party audits on a triennial basis, and the same is true for Level 3 contractors.Â
POA&Ms are now allowed at all maturity levels, but they can only be used for certain non-critical cybersecurity practices. Senior executives of companies that decide to go the self-assessment route are required by the CMMC 2.0 to personally attest to the veracity of the self-assessment, which exposes them to the US Department of Justice (DoJ).Â
Need CMMC Support?
If you need support meeting CMMC requirements, find a reliable technology service provider that can help you determine your compliance obligations and follow the NIST SP 800-171. Â
Teal is a Registered Practitioner Organization. We can help you implement the necessary cybersecurity defenses that meet regulatory requirements and protect Controlled Unclassified Information (CUI) from unintended disclosure. Â
Contact us today for more information on how we can help you with your Cybersecurity Maturity Model Certification.Â