With the release of CMMC 2.0 in late 2021, the DoD has streamlined its original 1.0 model. As a result, CMMC compliance will be simpler and more affordable. The goal of this blog is to highlight three important changes to the CMMC framework and explain what they mean for your compliance journey.
Change #1: DoD has completely aligned the requirements for the new Level 2 with the 110 security controls of NIST SP 800-171.
CMMC 2.0 drops the number of CMMC levels from five to just three levels. The new levels are: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). The new Level 2 is similar to the original Level 3: organizations at this level must securely store and share Controlled Unclassified Information (CUI)—a matter of high priority for the DoD. If your company does work for the DoD that involves handling CUI—either as a prime or subcontractor—then you will need to achieve at least the new Level 2 certification.
Meeting the new Level 2 has become eaiser for contractors as the DoD has completely aligned the standard with the 110 security controls in NIST 800-171. The DoD dropped the 20 security controls that had been added to the CMMC 1.0 model. With this streamlining comes clarity and simplicity.
The DoD’s NIST SP 800-171 self-assessment methodology is well established and serves as your baseline for figuring out where you are on your compliance journey. Ideally your organization has already started down this path, since defense contractors that handle CUI have been required to meet the NIST SP 800-171 security standards since late 2017. That is, for the past four years, your organization has been required to do what the new Level 2 will require.
Since 2020, the DoD has required not only that NIST SP 800-171 self-assessments be conducted annually, but also that the scores from those assessments be filed with the DoD’s Supplier Performance Risk System, known as SPRS. If your organization’s SPRS score falls below the highest possible NIST SP 800-171 score of 110, you are required to create a POAM—a Plan of Action and Milestones—and indicate when the security controls you have not yet met will be met.
Change #2: CMMC 2.0 will permit the use of POAMs
Allowing POAMs unquestionably simplifies CMMC certification. Your organization will not need a perfect SPRS score to be awarded DoD contracts, which CMMC 1.0 would have required.
That said, CMMC 2.0 will bring changes to current practices regarding POAMs. First, the DoD plans to allow POAMs for just a subset of security controls to be addressed in POAMs. All other controls will need to be met,and DoD intends to establish a minimum SPRS score that must be achieved prior to the award of a contract. Further, POAMs will not be acceptable for the highest weighted security controls (each of NIST SP 800-171’s 110 controls is weighted at either 1, 3 or 5 points).
Another change to current POAM practices is that once CMMC 2.0 is implemented, the DoD intends to impose limits on how long contractors can take to meet the controls they’ve had to write POAMs for. The DoD has indicated that the time limit will be 180 days. That means that under CMMC 2.0, the reprieve from security controls that POAMs have historically offered will be short-lived.
Change #3: CMMC 2.0 will permit some defense contractors to self-attest their cybersecurity compliance
CMMC 1.0 would have required all DoD contractors to undergo third-party assessments for CMMC certification. While it is important to know that security requirements remain the same in either case, self-attestation of compliance is simpler and less costly for defense contractors than undergoing a third-party review.
Assessment requirements will be based on the type of information organizations are working with, as illustrated below.
CMMC 2.0 model and assessments based on information being handled
At Level 1, defense contractors handling FCI will be permitted to perform annual self-assessments, as will a subset of Level 2 contractors that, while handling CUI, are working on projects that do not involve sensitive national security information (i.e., non-prioritized acquisitions).
Level 2 defense contractors handling CUI that is critical to national security (i.e., prioritized acquisitions) will be required to undergo third-party assessments once every three years. Those assessments will be conducted only by accredited C3PAOs (CMMC Third Party Assessment Organizations). Contractors will be responsible for coordinating and obtaining the needed assessment and certification.
Again, it is important for contractors permitted to self-assess to know that they still have to meet all necessary security requirements for their assigned CMMC level. In other words, self-assessment does not give contractors an opening to avoid meeting security requirements. Falsifying your self-assessment score could subject you to penalties under the False Claims Act.
Additionally, meeting the 110 controls of NIST SP 800-171 is of particular importance for contractors planning to seek Level 2 compliance. The DoD has stated that defense contracts that start at self-assessment could switch to requiring outside, third party assessments at a future date.
All Level 3 contractors—who by definition are working on the most critical defense programs—will be required to undergo triennial assessments done by audit teams from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the DoD’s ultimate authority on compliance.
So what’s next the next step for defense contractors?
Now is the time to implement a compliant cybersecurity program—contractors won’t have time to react later when CMMC 2.0 becomes law. And the place to start is NIST SP 800-171.
The key to achieving NIST SP 800-171 compliance is to implement technology solutions in conjunction with appropriate policies and procedures to ensure the security of CUI. But most widely-deployed commercial systems used to store and share CUI—such as Microsoft O365 Commercial and Gmail—do not comply with NIST SP 800-171 requirements. Organizations using those standard commercial solutions will need to adopt new platforms to improve their cybersecurity.
Given the weight that NIST SP 800-171 places on the protection of CUI—which the new CMMC Level 2 security controls will mirror—perhaps the most important decision in embarking on both a NIST SP 800-171 and a CMMC Level 2 compliance effort is choosing a technology platform to store and share CUI. CUI is typically shared in the form of files or emails, and thus platforms that protect file sharing and emails are key tools for raising your score.
PreVeil’s Drive and Email platform can help your company leverage the changes to the CMMC framework to achieve compliance more affordably: PreVeil needs to be deployed only to your employees that handle CUI, and its platform deploys in hours, not months, with no disruption to existing IT systems. And because it is easy to deploy, it is less expensive and easier to manage.
Once your organization has protected its CUI, your NIST SP 800-171 self-assessment score will increase significantly.
The new CMMC Level 2 security requirements will be in complete alignment with the 110 security controls of NIST SP 800-171—which defense contractors have been required to comply with since 2017. DoD’s current requirements to protect CUI are in effect while CMMC 2.0 works its way through the federal rulemaking process.
Defense contractors need to maintain their efforts to secure their data and continue to raise their NIST SP 800-171 scores toward the goal of 110. Companies that are prepared and compliant, with a high NIST SP 800-171 score and few POAMs, will have competitive advantages when contracts are awarded, audits happen, and CMMC 2.0 is implemented
To learn more about how PreVeil’s encrypted file sharing and email platforms, please see PreVeil’s resources listed below. Or sign up here for a free 15-minute consultation with our compliance team to answer your specific questions about CMMC.