CMMC 2.0

The Department of Defense (DoD) has been making efforts over the past five (5) years to strengthen cybersecurity throughout the Defense Industrial Base (DIB) and prioritize enforcement efforts. The current Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012Safeguarding Covered Defense Information and Cyber Incident Reporting, has been in full effect since 2017 and requires all defense contractors and subcontractors to implement the security controls defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a new framework that utilizes a maturity model to codify the cybersecurity processes, capabilities, and practices that apply to defense contractors and subcontractors. While the CMMC is largely based on the security safeguards defined in NIST SP 800-171, it introduces several additional domains that are derived from multiple cybersecurity standards, frameworks, and other references. The model includes 17 domains that are comprised of corresponding cybersecurity capabilities, processes, and practices. The required processes and practices for each maturity level are identified in the CMMC framework and are categorized using three (3) levels. The higher levels build on the lower levels and introduce additional practices and processes that are intended to provide more robust protections for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Contractors and subcontractors must ensure cybersecurity processes and practices for the specific CMMC level that applies to their organization are implemented.

On November 4th, 2021, the Department of Defense released CMMC 2.0 program. The CMMC 2.0 program maintains the primary goal of safeguarding sensitive information. As cyber-attacks are severely growing, government agencies’ critical CUI data is being compromised daily. While government contractors are taking reactive cyber defense measures as a temporary solution, implementing the CMMC program has become the DoD’s top priority as a protective measure to improve the nation’s security posture. CMMC 2.0 has been significantly modified shifting from five maturity levels to three. All federal contractors required to meet CMMC Level 1 can now self-attest. Federal Contractors who are required to meet CMMC Level 2 can either self-attest annually or require an independent assessment by a C3PAO, depending on CUI data they transmit, process, or store. Lastly, CMMC Level 3 assessments will be conducted by government assessors. The CMMC program team is working through the rulemaking processes and CMMC 2.0 requirements will not be mandatory until the rule making is finalized.

Click here for the DoD’s press release.

New changes to the CMMC Program:
  • A reduction from five to three levels.
  • Allowances for plans of actions and milestones (POA&Ms)

CMMC Maturity Levels

The CMMC framework consists of three (3) maturity levels. Each level consists of a set of processes and practices, as shown in the image below.

Click here for accessible table

Accreditation Body & Independent Assessments

In January 2020, the CMMC Accreditation Body (CMMC-AB) was registered as a Maryland 501(c)(3) nonprofit organization and consists of board members and multiple working groups. The CMMC-AB is seeking input from industry as it relates to the purpose of each Working Group. For more information on the CMMC Working Groups, click here. Organizations that are interested in learning more about the CMMC as it evolves are encouraged to watch the National Conversation webinar series found here.

The CMMC-AB manages the operational aspects of the CMMC auditing program including the selection of Certified Third-Party Assessment Organizations (C3PAOs), training of assessors, and conducting quality control reviews of CMMC assessments. The CMMC-AB intends to support the program by establishing, training, and overseeing the community of C3PAOs and individual assessors that will evaluate covered contractor systems and defense contractor information security programs. Self-assessment and self-attestation processes, which were previously accepted, are being replaced by CMMC audits that are conducted by C3PAOs.

Start Preparing for CMMC Now

After the CMMC is rolled out, ALL DoD contractors and subcontractors who wish to conduct business with the DoD must be certified prior to the award of a contract. It is imperative that your company begins planning and preparing for CMMC and meets the requirements associated with the CMMC level that applies to your organization. As a CMMC C3PAO Candidate, COACT’s team can provide CMMC advisory services that will significantly reduce your timeline to achieve CMMC Certification.

CMMC seeks to unify the way in which the DIB implements cyber security best practices and improves information security program maturity. CMMC requires the implementation of specific security safeguards and certification that contractor or subcontractor meets requirements based on the sensitivity of data that resides within their systems. DIB contractors understand that securing sensitive data, such as Controlled Unclassified Information (CUI), is critical during contract performance and a breach or unauthorized disclosure could adversely impact the status of that relationship with a government client. CMMC highlights this need and enforces the implementation of security safeguards by contractors via the inclusion of the certification as a prerequisite for contract award. Implementing and documenting security safeguards to meet NIST 800-171 requirements is currently the best starting point for organizations seeking to achieve a CMMC certification in the future.

For more information on how our subject matter experts can help you with your readiness and compliance/assessment needs, contact us at