CMMC 2.0: What We Know So Far About Certification
Editor’s note: This article was originally published in 2020 but has been updated to reflect the latest information.
If you’re a supplier or manufacturer that relies on business with the Department of Defense (DoD) and the contracts they offer, you may need to ensure that your IT infrastructure can pass a third-party assessment for cybersecurity readiness soon.
Your organization’s ability to meet foundational (Level 1), advanced (Level 2), or expert (Level 3) standards associated with Cybersecurity Maturity Model Certification 2.0 (or CMMC 2.0) will determine your eligibility to compete for various government contracts.
Organizations will be required to self-assess and self-attest for Level 1 certification. An external, third-party assessment will determine if an organization can be certified for CMMC at Level 2 or 3.
A failed CMMC assessment could potentially lead to lost contracts, loss of revenue, and even business closure.
By starting now, (if you haven’t already,) you’ll put your organization on the path to a more secure future not just in terms of the contracts you can bid on but also in warding off cyber threats.
I’ve worked in IT for more than 15 years. In my current assignment at Kelser, I focus on cybersecurity. I work with customers to evaluate and mitigate their cybersecurity risk through the implementation of the controls listed in NIST 800-171, which form the basis for CMMC 2.0, as well as internal policies and procedures.
The DoD introduced CMMC in 2019, followed by CMMC 1.0 in early 2020.
Small and medium-sized businesses quickly objected to the complexity of the CMMC framework and assessment process. As a result, the CMMC guidelines are being refined. A new version (CMMC 2.0) is expected to be fully implemented by 2025 (with indications that it may be operational to some degree before then, possibly as early as 2023).
This post will make this new set of requirements easier to understand by exploring what the certification is, who is affected, some sense of timing, and actionable next steps to get you started down the path towards a successful CMMC assessment.
What Is CMMC?
CMMC, in every form, is designed to protect information shared within the U.S. Defense Industrial Base (DIB) and the contract information necessary to produce the parts, systems, and components needed for our national defense.
The main goal throughout all its iterations is to validate the safeguards and practices that ensure basic cyber hygiene and the protection of federal contract information (FCI) and controlled unclassified information (CUI) that is present within the supplier and partner networks of the DIB.
Assessments of government contractors and subcontractors are performed to determine the level of compliance with the requirements outlined in CMMC and the preparedness and ability of those companies to handle cybersecurity threats.
These assessments will also evaluate how well organizations integrate cybersecurity into their organizational culture.
What Is CUI And FCI?
According to the National Archives, CUI or Controlled Unclassified Information is “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”
Federal Contract Information (FCI) is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
Here's an infographic from the National Archives CUI Program Blog that helps define FCI, CUI, and public information:
If you think you are in the clear because your company doesn’t handle CUI, you may still be impacted by CMMC 2.0.
According to the Office of the Under Secretary of Defense for Acquisition & Sustainment, "If a DIB company does not possess, store, or transmit CUI but possesses Federal Contract Information (FCI), it is required to meet FAR clause 52.204-21 and must be certified at a minimum of CMMC Level 1."
What Certification Levels Are Outlined In CMMC 2.0?
While CMMC originally had five levels of certification, CMMC 2.0 has been simplified to three levels:
- Level 1 (Foundational - for FCI)
- Level 2 (Advanced - for CUI)
- Level 3 (Expert - for companies working with CUI on DoD’s highest priority programs)
What Is The Timing Of CMMC 2.0?
According to the DoD CMMC FAQ page, “CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take up to 24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.”
Although some industry experts have anticipated the full implementation of CMMC by 2025, there is increasing evidence that the rulemaking process will be completed in time for initial phase-in activities to begin in early 2023.
Can I Do Anything In The Meantime To Prepare?
The DoD published an interim rule (DFARS Case 2019-D041) in 2020, which specified that suppliers of high-level defense manufacturers must document assessment action towards compliance with NIST 800-171.
NIST 800-171 is a set of standards related to the protection and distribution of sensitive material.
Since the controls identified in NIST 800-171 are identical to the practices assessed in a CMMC assessment, implementation of these controls is necessary for compliance with both current requirements and the practices to be assessed in CMMC.
NIST 800-171 compliance can take months to achieve depending on your current cybersecurity posture. Implementing NIST 800-171 now (if you haven’t already) will put your organization in a better position when CMMC 2.0 is formalized.
Is My Company Impacted By CMMC 2.0?
Partners or suppliers that ONLY produce commercial off-the-shelf products will likely not require CMMC certification. Companies that only have access to FCI, will require only Level 1 certification.
Once CMMC 2.0 is implemented, annual self-assessments will be required (when permitted based on certification level). Additional assessments are required every three years for Level 2 (by a certified third-party assessment organization or C3PAO) and Level 3 (government assessment) certification.
What Are The 14 CMMC Controls?
CMMC identifies 14 controls. They mirror those outlined in NIST 800-171:
1. Access Control (AC)
Establish system access requirements. Control internal system access. Control remote system access. Limit data access to authorized users and processes.
2. Audit and Accountability (AU)
Define audit requirements. Perform auditing. Identify and protect audit information. Review and manage audit logs.
3. Awareness and Training (AT)
Conduct security awareness and training activities.
4. Configuration Management (CM)
Establish configuration baselines. Perform configuration and change management.
5. Identification and Authentication (IA)
Grant access to authenticated entities.
6. Incident Response (IR)
Plan incident response. Detect and report events. Develop and implement a response to a declared incident. Perform post-incident reviews. Test incident response.
7. Maintenance (MA)
8. Media Protection (MP)
Identify and mark media. Protect and control media. Sanitize media. Protect media during transport.
9. Personnel Security (PS)
Screen personnel. Protect CUI during personnel actions.
10. Physical Protection (PE)
Limit physical access.
11. Risk Management (RM)
Identify, evaluate, and manage risk. Manage supply chain risk.
12. Security Assessment (CA)
Develop and manage a system security plan. Define and manage controls. Perform code reviews.
13. Systems and Communications Protection (SC)
Define security requirements for systems and communications.
14. System and Information Integrity (SI)
Identify and manage information systems flaws. Identify malicious content. Perform network and system monitoring. Implement advanced email protections.
Each of these areas is further defined by controls that describe processes or practices against which your company will be evaluated.
While only a few of these areas are relevant to Level 1, (which is based on self-assessment and self-attestation,) they are all relevant to Levels 2 and 3. (More total controls across domains need to be satisfied for certification at Levels 2 and 3.)
Each level of certification builds upon the prior and represents increased levels of cybersecurity compliance and potential capability.
An assessor will examine and test your organization’s demonstrated practices or processes to determine if your organization can be certified at Level 2 or 3. (This applies just to Level 2 or 3 since Level 1 is based on self-assessment and self-attestation only.)
What Can I Do Today To Prepare For CMMC 2.0?
After reading this article, you know what CMMC is. You know how to differentiate between CUI and FCI. You are familiar with the three levels of certification outlined in CMMC 2.0. You understand the timing and know the concrete steps you can take to prepare.
And, most importantly, you know whether CMMC 2.0 will impact your organization.
You may be wondering where you go from here.
As mentioned earlier, the first step is to implement NIST 800-171, since that is the basis for CMMC 2.0 requirements.
Some of the changes necessary to become aligned with the NIST 800-171 framework will take time to implement and become part of your company culture. The best practice would be to start now. Address gaps. Find the best practices. Remediate as necessary. Test. Reassess.
Wondering what to do first? Read this article: 5 Actions To Take To Prepare For CMMC 2.0
Thinking about working with an IT managed support provider, but not sure it’s the right solution for your small or medium-sized business? Read this article for an unbiased perspective: Managed IT Support: The Pros & Cons.