Evolving Threats and Standards for Defense Contractors: An Introduction to CMMC 2.0

The Pentagon is encouraging defense contractors to adhere to the new cybersecurity practices illustrated by the National Institute of Standards and Technologies. According to a Defense Department official, about 40,000 companies will still require a third-party assessment under the revamped Cybersecurity Maturity Model Certification program, called CMMC 2.0.

CMMC 2.0 has an updated program structure to reflect the primary goals of the internal review: Safeguard sensitive information to enable and protect the warfighter while dynamically enhancing defense industry base (DIB) cybersecurity standards to meet evolving threats.

 

What is a cyber readiness program and why is it important?

To safeguard sensitive national security information, the Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks. With its streamlined requirements, CMMC 2.0:

  • Cuts red tape for small and medium sized businesses.
  • Sets priorities for protecting DoD information.
  • Reinforces cooperation between the DoD and industry in addressing evolving cyber threats.

What does the change from CMMC 1.0 to CMMC 2.0 mean for your organization?

cmmc 2.0

What is CMMC 2.0 and how does it differ from 1.0?

  • The mandatory requirements in NIST 800-171 have not changed. Companies handling Controlled Unclassified Information (CUI) will notice very little change with CMMC 2.0.
  • CMMC 2.0 is a leaner, more flexible version of CMMC 1.0.
  • CMMC 1.0 required contractors to implement 100% of their security practices before being assessed as compliant with a specific level. CMMC 2.0 provides defense contractors with more flexibility if they do not meet full compliance requirements at any level.

Who needs CMMC Certification?

  • CMMC is required of any individual in the DOD supply chain, including contractors and subcontractors who interact exclusively with the Department of Defense. According to the DOD, the CMMC requirements will affect over 300,000 organizations.

What are the 3 levels of CMMC 2.0?

  • The three increasingly progressive levels:
    • Level 1 / Foundational (same as previous Level 1)
      • Contractors not handling critical information related to national security require annual self-assessments.
    • Level 2 / Advanced (previous Level 3)
      • Contractors handling critical information related to national security will require third-party assessments (C3PAO).
    • Level 3 / Expert (previous Level 5)
      • Highest priority - Contractors affiliated with the most critical defense programs will require a government-led assessment.

MMC 2.0 Timeline - When will CMMC 2.0 be required?

  • A final ruling has not been made. A close approximation could be Q2 2023. However, the rule-making process can take 9-24 months. CMMC 2.0 will become a requirement once the rulemaking is complete. (i)
  • Companies planning for CMMC are already subject to FAR 52.204-21 and/or DFARS 252.204-7012 which form the basis for CMMC 2.0 Level 1 and 3.

How do small to midsize defense contractors (SMBs) navigate the complexity of the CMMC framework?

  • Companies can conduct a NIST 800-171 self-assessments and calculate their SPRS scores. By doing so, companies will be compliant with the interim DFARS ruling. These scores and assessments can provide an indication of CMMC preparedness.

What are the costs of compliance and third-party certification?

  • The DoD proclaims CMMC 2.0 will greatly reduce cost overall compared to CMMC 1.0 due to the removal of assessment requirements found in Level 1, 2, and 4. Companies not handling CUI will find further savings through the allowance of self-assessments. (ii)
  • Multiple factors play a role in determining costs:
    • Network complexity
    • Market forces
    • Gap analysis and remediation expenses
  • The DoD is developing new cost estimates associated with CMMC 2.0. (iii)

How can American Technology Services help with CMMC 2.0?

  • A successful CMMC readiness assessment begins with a comprehensive review of a company’s cybersecurity hygiene. Together, the ATS Compliance team in cooperation with clients can achieve preliminary audit success through several steps:
    1. A detailed review of all existing compliance frameworks
    2. Review of existing documentation and plans
    3. Conduct an interview for Domain level CMMC audit requirements
    4. Create a Gap analysis on deficiencies that assessors will find
    5. Create cost-effective remediation paths
    6. A summary report to wrap up all discoveries and suggestions

 

Bibliography

(i). Retrieved from https://www.acq.osd.mil/cmmc/faq.html

(ii). Retrieved from https://info.summit7.us/blog/cmmc-2.0-understanding-dod-strategic-intent-part1

(iii). Retrieved from https://www.acq.osd.mil/cmmc/faq.html