CMMC 2.0 is here. In fact, the CMMC 2.0 final rule has been released and will be published in the Federal Register today. In this post, we’ll offer a brief history of CMMC and talk about some key differences between CMMC 1.0 and CMMC 2.0.
Anyone considering moving towards a CMMC certification will better understand what steps are involved and how ONE 2 ONE can help you by providing one of the significant steps in the process for FREE!
What is CMMC?
CMMC, or the Cybersecurity Maturity Model Certification, is a Department of Defense (DoD) program that helps contractors working with the Federal Government meet cybersecurity requirements. The program was developed to protect Controlled Unclassified Information (CUI) shared with contractors and subcontractors. Given the number of data incidents and breaches, you can understand why such a program was developed.
In fact, the US government released the original CMMC program in January 2020 in response to major supply chain attacks and a lack of adherence to previously prescribed cybersecurity practices—namely, the 110 controls of NIST 800-171. There have been changes along the way, but we now have a clear final rule with a three-year phased approach to including this requirement in new contracts.
Let’s look at some of the changes to CMMC 2.0.
What is happening with CMMC?
If you missed it, the comment period on the proposed acquisition rule closed yesterday, October 14th. The new ruling is expected to be published in the Federal Register today, October 15th. Two key areas stand out when comparing CMMC 1.0 versus 2.0.
The first comparison in the revised 2.0 version includes Plans of Action and Milestones or POA&Ms. These POA&Ms will be granted for specific requirements as outlined in the rule, which gives businesses an opportunity to obtain conditional certification for 180 days while working to meet the NIST standards.
A big revision is a reduction in assessment levels to help streamline and simplify the process for small and mid-sized businesses. The original CMMC 1.0 included five levels of assessment, while the 2.0 version now only includes three. Under the new rule, the DoD will also allow some businesses to self-assess their compliance based on their level of maturity.
CMMC 2.0 Requirements
CMMC provides tools to hold businesses and individuals accountable when they put US information or systems at risk. CMMC 2.0 ensures adherence to the 110 controls of NIST 800-171 (plus 24 controls from NIST 800-172 for Level 3). It is important to note that the majority of contracts already require adherence to NIST 800-171. The fundamental difference is that previously, organizations could self-attest to their compliance. Now, the majority will need to go through an assessment by a C3PAO – CMMC Third Party Assessor Organization.
With the new ruling, the levels of assessment have dropped from five to three. Even though the levels have dropped, they are based on operational maturity and the nature of the data handled. These three levels are Foundational, Advanced, and Expert.
Level 1: Foundational
Allows for self-assessment to ensure basic protection of FCI or Federal Contract Information
Level 2: Advanced
Requires general protection of CUI based on either third-party assessment or self-assessment at CMMC level 2
Level 3: Expert
Requires higher-level protection of CUI against risk from Advanced Persistent Threats (APTs) with assessment led by the Defense Industrial Base Cybersecurity Assessment Center
When Will the Requirements Go into Effect
The DoD plans to scale the CMMC requirements across all contracts that include access to CUI. In its proposed acquisition rule, the Pentagon presented plans for a three-year-long phased rollout of the requirements. Over this three-year period, DoD program managers will have the discretion to include CMMC in contracts.
Even with the reduced levels of assessments, the complexity and cost of CMMC for small to mid-sized businesses can be overwhelming. Because of these factors, the Pentagon is suggesting businesses use cloud services and knowledgeable, trusted vendors to meet requirements.
How to Get a CMMC Certification
If you’re considering working towards CMMC Certification, here are some areas you’ll want to focus on:
- Understand the requirements of your current contracts—you likely already need to adhere to the 110 controls of NIST 800-171!
- Perform a Gap Analysis to understand where you are starting from
- Work with a trusted provider to develop a POAM (Plan of Action and Milestones) for remediation of identified gaps in compliance.
- Select a third-party assessment organization (C3PAO)
- Schedule and undergo the CMMC assessment
- Receive your certification
- Re-assess with a C3PAO tri-annually.
The certification process can take 6-8 months for Level 1 and up to 9-12 months for Levels 2-3.
Let ONE 2 ONE Help You
The foundation of CMMC 2.0 is the NIST 800-171 framework. A NIST assessment will help you understand your cybersecurity maturity and develop a plan to close security gaps.
ONE 2 ONE offers an initial free assessment questionnaire that will help identify the work needed to get to compliance. From there, we can help with remediation of issues and implementation of security layers.
Schedule Your FREE NIST Assessment Today!