The countdown has begun: December 16, 2024, marks the effective date of the Cybersecurity Maturity Model Certification (CMMC) 2.0. This pivotal update will reshape how SMB contractors engage with the Department of Defense (DoD).
As an experienced IT managed service provider (MSP) specializing in CMMC compliance, we’re here to guide you through this transition – ensuring your organization meets these new standards.
Empower your company with CMMC knowledge. This guide covers the process, benefits, maturity levels, and how to prepare for your CMMC audit.
Table of Contents
What is CMMC, and Why is it Important?
CMMC is a framework designed to ensure that companies handling sensitive federal information – such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) – meet specific cybersecurity standards. It’s crucial for protecting data against cyber threats, ensuring that government contractors have the necessary cybersecurity controls in place to prevent breaches.
How is CMMC 2.0 Different from the Previous Version?
CMMC 2.0 simplifies the original model by reducing the number of certification levels from five to three. It also refines the requirements, focusing on the protection of CUI and FCI, and provides more flexibility with certain practices. Additionally, Cybersecurity Maturity Model Certification 2.0 allows self-assessments for lower levels (1 & 2) and introduces a focus on cost-effective compliance for small businesses.
What Are the Three Levels of CMMC 2.0?
CMMC compliance introduces a streamlined approach to cybersecurity, focusing on three distinct levels:
- Level 1 (Foundational): Targets basic safeguarding of FCI.
- Level 2 (Advanced): Centers on the protection of CUI.
- Level 3 (Expert): Aims to defend CUI against Advanced Persistent Threats (APTs).
Each level builds upon the previous, ensuring a comprehensive defense against evolving cyber threats.
When Will CMMC Go into Effect?
The CMMC rule officially goes into effect on December 16, 2024. Starting on this date, government contractors must meet certain cybersecurity requirements to be eligible for DoD contracts. There will be a phased implementation over the next few years.
Do I Need Certification for All DoD Contracts?
No, the level of certification required depends on the type of information you’ll be handling. For contracts involving FCI, Level 1 compliance might suffice, while contracts involving CUI will require Level 2 or Level 3 certification. It’s important to verify the contract requirements for each opportunity.
How Do Businesses Meet the Department of Defense (DoD) Security Requirements for Contracts?
An Organization Seeking Assessment (OSA) will select the CMMC level it desires to attain. The Cybersecurity Maturity Model Certification (CMMC) is a tiered framework designed to assess contractors’ cybersecurity practices based on the sensitivity of the data they handle.
Level 1 (Self)
Contractors must meet 15 security requirements to protect Federal Contract Information (FCI). These requirements are self-assessed annually by the OSA and entered into the Supplier Performance Risk System (SPRS) for verification.
Level 2 (Self)
Level 2 self compliance involves compliance with 110 security requirements derived from NIST SP 800-171 R2, designed to safeguard CUI that’s processed, stored, or transmitted in the course of fulfilling the contract. Businesses must perform self-assessments every three years and submit results to SPRS. They can also develop a Plan of Action and Milestones (POA&M) to address any gaps. Compliance must be affirmed annually.
Level 2 (C3PAO)
Businesses at this level must engage a C3PAO (Certified Third-Party Assessor Organization) to conduct an assessment of their compliance with the same 110 NIST SP 800-171 R2 requirements. C3PAOs are vetted and listed in the CyberAB Marketplace. After the assessment, results are entered into SPRS.
Level 3 (DIBCAC)
At this level, businesses must meet 24 additional requirements from NIST SP 800-172, which provide enhanced security controls for CUI. To reach Level 3, businesses must first achieve Level 2 certification through a C3PAO.
Once that is complete, the contractor can initiate a Level 3 assessment by emailing a request to the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) point of contact and including the Level 2 (C3PAO) certification unique identifier in the email.
How Often Will I Need to be Assessed for CMMC Compliance?
The frequency of assessments depends on your CMMC level. For Levels 2 and 3, third-party assessments may be required every three years. For Level 1, self-assessments will typically be done annually. However, regular internal assessments and reviews are recommended to ensure ongoing compliance.
Source: Federal Register
What is the Timeline for DoD Compliance?
The DoD has outlined a four-phase implementation plan over three years, with full compliance required by 2027:
Phase 1 (Year 1)
Commencing on December 16, 2024, contractors must perform self-assessments for all solicitations and contracts as a condition of award.
Phase 2 (Year 2)
One year after Phase 1, contractors must begin obtaining CMMC certifications for applicable DoD contracts.
Phase 3 (Year 3)
One year following Phase 2, all DoD contracts will require CMMC certification, including Level 3 for relevant contractors.
Phase 4 (Full Implementation)
Once Phase 4 is fully implemented, the DoD will incorporate CMMC requirements into all relevant DoD contracts and any option periods for contracts awarded thereafter.
This phased approach allows time to train assessors and for companies to understand and implement CMMC assessment requirements.
Can Small Businesses Afford to Comply?
Yes, while compliance with CMMC 2.0 introduces costs, the DoD has taken steps to ease the financial burden, particularly for small businesses. CMMC 2.0 was designed with flexibility in mind, offering a tiered approach that allows smaller businesses to meet lower-level requirements (Level 1 or 2) through self-assessment.
For Level 1, businesses only need to complete a self-assessment, which is generally low-cost and manageable. Many contracts involving CUI may only require a Level 2 self-assessment, which is similarly cost-effective for small businesses.
The DoD has streamlined CMMC requirements to align with NIST guidelines and removed unique security practices, making compliance more achievable. However, small businesses may still face challenges, particularly with third-party assessments for Level 2 or Level 3 certifications. The cost of these assessments is market-driven, as C3PAO pricing will vary based on supply and demand.
While the upfront costs of compliance can be significant, the DoD’s regulations include provisions like Plan of Action and Milestones (POA&Ms) to help businesses manage compliance over time. Additionally, businesses that are already compliant with the NIST SP 800-171 standards will find it easier to meet the Level 2 requirements.
Although the DoD does not currently provide grants or direct financial assistance to cover CMMC compliance costs, small businesses can seek support through industry programs, and some costs may be recoverable in contracts. The goal is to create a level playing field; while the financial burden is acknowledged, they state that the necessity of protecting sensitive government data outweighs the cost of compliance.
We encourage small businesses to start early, assess their cybersecurity practices, and take advantage of any resources available to them to reduce the cost impact.
What Happens if My Company Does Not Comply with CMMC?
Non-compliance can result in losing eligibility for DoD contracts. This could mean missing out on lucrative government contracts and damage to your reputation in the defense industry. Therefore, it’s vital to begin preparing for compliance as soon as possible to avoid these consequences.
Is There a Grace Period for Achieving CMMC Compliance?
There is no formal grace period, but the phased implementation provides time for businesses to meet the requirements. However, contractors must comply by the deadlines to secure and maintain DoD contracts. Delays in compliance can affect future contract awards, so it’s best to start preparing early.
What Are the Penalties for Non-compliance with CMMC?
Adhering to CMMC 2.0 isn’t just about meeting regulatory requirements; it’s about safeguarding your business and the sensitive information entrusted to you.
Penalties for non-compliance could include:
- Losing the ability to bid on DoD contracts.
- Financial penalties.
- Damage to your reputation within the government contracting space.
Compliance is critical to remaining competitive and trustworthy as a government contractor.
Will Subcontractors Be Impacted by CMMC 2.0?
Yes, CMMC 2.0 requires companies to flow down cybersecurity requirements to subcontractors. If your company is a prime contractor, you will be responsible for ensuring that your subcontractors are also compliant with the relevant CMMC levels.
This helps create a secure supply chain, reducing the risk of data breaches and cyber threats.
What is an ESP & How Does CMMC Apply to Them?
An external service provider (ESP) refers to any external individuals, technology, or facilities used by an organization to provision and manage IT or cybersecurity services, including:
- Managed Service Providers – Provides technology support services (e.g. cybersecurity, cloud, help desk, consulting, etc.) to clients.
- Cloud Service Providers – Provides its own cloud services. An ESP that manages third-party cloud services for an OSA is not a CSP.
- External Service Providers – External technology, people or facilities that an OSA uses to provide/manage IT and/or cybersecurity services. CUI or Security Protection Data (e.g., log data, configuration data) must be processed, stored, or transmitted on the ESP assets to be considered an ESP.
For a service provider to be considered an ESP under CMMC, they must process, store, or transmit Controlled Unclassified Information
How Does CMMC Apply to ESPs Under the Final Rule?
The final rule provides clearer guidance on how to apply CMMC requirements to ESPs. If an ESP performs a security function, it is no longer required to undergo a third-party assessment (C3PAO assessment) by default.
Instead, the services provided by the ESP will be assessed as part of the OSA’s self-assessment or C3PAO assessment. The ESP must also provide a Customer Responsibility Matrix (CRM), which details the services provided and the responsibilities of both the OSA and the ESP. OSAs must document this relationship and the ESP’s services in their SSP and the ESP’s service description.
What Are the New Rules for ESPs Regarding Certification?
Under the updated CMMC rules, it is no longer mandatory for an ESP to obtain a C3PAO assessment, even if they perform security functions. However, ESPs can still voluntarily pursue certification if they choose. This can be beneficial, as it may streamline future assessments and reduce the burden on OSAs to provide evidence during assessments.
To pursue certification, an ESP needs to have a Commercial and Government Entity (CAGE) code, a SPRS account, and the ability to meet CMMC Level 2 requirements if they are processing, storing, or transmitting CUI or Security Protection Data.
What If an ESP Only Provides Temporary Services, Like Penetration Testing or Forensic Analysis?
ESPs that only require temporary access for services like penetration testing, cyber incident response, or forensic analysis are not considered ESPs under the CMMC definition. These service providers do not process, store, or transmit CUI; therefore, they do not need to meet CMMC requirements as an ESP.
Are Small Businesses Required to Ensure FedRAMP Certification for Their Cloud Service Providers?
No, small businesses do not need to ensure that their Cloud Service Providers (CSPs) are FedRAMP Moderate certified if the CSP does not process, store, or transmit CUI as part of fulfilling the contract. This change reduces the compliance burden on small businesses that use cloud services for non-sensitive data, making the compliance process more affordable and less complicated.
How Does CMMC 2.0 Affect Virtual Desktop Interface Configurations for Small Businesses?
CMMC 2.0 introduces a key change for small businesses using Virtual Desktop Interface (VDI). If a VDI is configured to prevent the processing, storing, or transmitting of Controlled Unclassified Information (CUI)—other than for essential functions like keyboard, mouse, or video input—the endpoint is considered out of scope for CUI compliance.
This update simplifies compliance for small businesses using VDIs, reducing the need for complex CUI handling requirements as long as the VDI is set up correctly.
How Do I Get Started with CMMC Compliance?
The first step is to evaluate your current cybersecurity posture against the CMMC 2.0 standards. Identify gaps in your controls and create a roadmap to address them. You should also consult with cybersecurity experts or a managed services provider who has experience with CMMC compliance – like Teal – to ensure you’re on track and ready for assessments.
Empower your company with CMMC knowledge. This guide covers the process, benefits, maturity levels, and how to prepare for your CMMC audit.
How Can an MSP Help with You with CMMC Compliance?
As a CMMC Registered Provider Organization (RPO), an experienced MSP like us can provide comprehensive consulting services to help your business prepare for CMMC certification.
Our services include pre-assessment consulting, identifying and addressing security gaps, and ensuring your systems are ready for CMMC assessments. We can also offer continuous monitoring, routine security assessments, and regular updates to your cybersecurity practices to maintain compliance.
Unlike certified third-party party C3PAOs (which conduct the actual certification assessments) we are authorized by the CMMC Accreditation Body to guide your organization through the preparation process.
With our expertise, the security and integrity of your data and systems are safeguarded – ensuring you achieve and sustain your CMMC certification.
Embrace the Future with Confidence
The implementation of CMMC 2.0 is an opportunity to enhance your organization’s cybersecurity posture and strengthen your partnership with the DoD. By taking proactive steps now, you position your business for success in a secure and compliant environment.
Contact us today to discover how we can help you navigate this transition smoothly and effectively.