According to the DoD, the loss of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB) has led to increased risk for our economy and national security. In order to reduce this risk, the Department has gone to work with the DIB sector to enhance their protection of CUI in its unclassified networks. The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) framework is the result of these actions.
The Department of Defense initially released v 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework in January 2020. The goal of the document was to ensure appropriate levels of cybersecurity practices and processes were in place to protect federal contact information (FCI) and controlled unclassified information (CUI).
However, CMMC 1.0 was criticized as too complex, expensive, and onerous. The DoD heard the complaints of the DIB and responded in November 2021 by releasing CMMC 2.0, a streamlined version of the original model.
This blog will provide an overview of what CMMC 2.0 is, its practices and levels, and how to get started with your compliance journey.
The DoD introduced its CMMC initiative in mid-2019 and released CMMC 1.0 in early 2020. At that point, the DoD embarked on an ambitious plan to have every one of the hundreds of thousands of companies doing work for the DoD certified by outside assessors at their appropriate CMMC level—all within five years.
While the need for better cybersecurity throughout the DIB remained unquestioned, the significant challenge of the planned rollout quickly became clear. The DoD was inundated with hundreds of public comments from small to midsize defense contractors (SMBs) expressing concerns about the complexity of the CMMC framework and the costs of compliance and third-party certification.
Congressional hearings ensued, and in November 2021 DoD released its much-streamlined CMMC 2.0. The new program focused on reducing costs for SMBs and aligning cybersecurity requirements with other federal requirements.
CMMC 2.0 differs from 1.0 in the following key ways:
As noted, CMMC 2.0 will permit some defense contractors to self-attest their cybersecurity compliance, as opposed to all having all to undergo third-party reviews as mandated by CMMC 1.0. Further, unlike the original framework, CMMC 2.0 will allow limited use of Plans of Actions and Milestones (POAMs) that can be submitted in lieu of meeting certain non-critical security controls. Waivers of certification, too, will be permitted in very limited circumstances.
CMMC 2.0 drops the number of CMMC levels from five to three by doing away with the old levels 2 and 4, which were originally developed as transition levels. The new CMMC 2.0 levels are based on the type of information DIB companies handle
Unlike CMMC 1.0, which required all DoD contractors to undergo third-party assessments for CMMC compliance, CMMC 2.0 assessment requirements will be based on the type of information DIB companies are working with as illustrated in the figure below.
Companies seeking Level 1 requirements will not require certification. Instead, the contractor must specify the people, technology, facilities and external providers within their environment that process, store or transmit FCI. Companies will be required to self-certify once per year that they meet the basic safeguarding requirements for FCI specified in FAR clause 52.204.21
The DoD has stated that it will bifurcate level 2 requirements in order to identify prioritized acquisitions that would require independent assessment, and non-prioritized acquisitions that would require annual self-assessment and annual company affirmation. Level 2 defense contractors handling CUI that is critical to national security (i.e., prioritized acquisitions) will be required to undergo third-party assessments once every three years. Those assessments will be conducted only by accredited C3PAOs (CMMC Third Party Assessment Organizations) or certified CMMC Assessors.
Once the new CMMC 2.0 Assessment Guide is released, the CMMC-AB (CMMC Accreditation Body) will resume training C3PAOs and CMMC Assessors, as well CMMC consultants. Contractors will be fully responsible for obtaining and coordinating the requisite needed assessment and certification.
After the completion of the CMMC assessment, the C3PAO will provide an assessment report to the DoD. Again, requirements for Level 2 align completely with NIST SP 800-171. Remember that self-assessment of NIST SP 800-171 compliance has been required since 2017 for contractors subject to DFARS 252.204-7012. In addition, as of November 2020, scores must be reported to the DoD’s SPRS (Supplier Performance Risk System).
As of December 2021, the DoD was still working on the details of the bifurcation of Level 2. DoD officials have made clear that they do not plan to create a different class of CUI. Examples of contracts provided by DoD for self-assessment are designing military uniforms or boots, both of which involve CUI but not sensitive national security information. Examples of Level 2 work that would require triennial C3PAO assessments are developing parts for a weapons system, or for a command and control communications system.
Those companies seeking Level 3 (Expert) compliance will need to meet the security requirements specified in NIST SP 800-171 plus a subset of requirements specified in NIST SP 800-172. The DoD is still in the process of determining how organizations seeking level 3 compliance will be assessed. However, those companies will require a DIBCAC audit to achieve compliance.
The DoD anticipates that the rulemaking process will take anywhere from nine to 24 months. While these rulemaking efforts are ongoing, the DoD is suspending all CMMC pilot efforts and mandatory CMMC certification. Further, the DoD will not approve inclusion of a CMMC requirement in any DoD contract until the rulemaking process is complete. In the meantime the DoD is exploring whether to provide incentives for contractors to voluntarily attain their needed CMMC level prior to completion of the rulemaking process.
In any case, the DoD strongly encourages defense contractors to continue to enhance their cybersecurity posture while rulemaking is underway. In fact, DoD recently has stepped up enforcement of NIST SP 800-171, which has been in effect since 2017, and which the new CMMC Level 2 will mirror. The DoD’s and the Department of Justice’s efforts are underway now to enforce adherence to current federal cybersecurity standards and pursue those who do not comply under its Civil Cyber-Fraud Initiative.
Defense contractors looking to start their CMMC compliance journey should look to meet the 110 controls in NIST 800-171. Preparation to meet these controls should not be delayed as preparation can take up to 18 months.
PreVeil’s encrypted Drive and Email support compliance with virtually all the new CMMC Level 2 mandates related to the communication and storage of CUI. In contrast, most widely-used commercial systems used to store and share CUI do not comply with the Level 2 requirements. Organizations using those standard commercial solutions will need to adopt new platforms to improve their cybersecurity, achieve CMMC Level 2, and win DoD contracts.
PreVeil Drive and Email can help your organization achieve NIST SP 800-171 compliance and, when the time comes, CMMC Level 2 certification — a straightforward step given that the new Level 2 requirements will mirror NIST SP 800-171. PreVeil also helps your organization comply with other federal cybersecurity regulations including DFARS 252.204-7012 and ITAR 120.54.
The new CMMC’s cybersecurity standards will better arm the DoD in its efforts to defend against cyberattacks that threaten U.S. advantages in the military, technological and commercial realms. But it’s clear that the DoD cannot wait for CMMC 2.0 to be implemented to improve cybersecurity in the Defense Industrial Base. While the new CMMC 2.0 framework works its way through the federal rulemaking process, enforcement of federal cybersecurity regulations governing defense contractors has stepped up.
A key target for enforcement is NIST SP 800-171, which stipulates security controls necessary to protect CUI—a matter of high priority for the DoD. NIST SP 800-171 is currently the law of the land for defense contractors that handle CUI, and has been since 2017. Upon implementation, the new CMMC Level 2 will completely align with NIST SP 800-171’s 110 security controls. Clearly, compliance with NIST SP 800-171 now will smooth your company’s path to the new Level 2 when CMMC 2.0 becomes law.
It is important that organizations handling CUI and seeking future DoD contracts get started on the compliance path. Even as the final 2.0 ruling is winding its way through DoD, NIST 800-171 continues as the standard which organizations must seek to comply with. It behooves these companies as well as those seeking DOD contracts that may include CUI to get started with their NIST compliance path today.
To learn more about how PreVeil’s state-of-the-art platforms can help your organization , please contact us at preveil.com/contact or (857) 353-6480.