• Blog

The 3 levels of CMMC 2.0: Introducing the Cybersecurity Maturity Model Certification 2.0

If you’re a company in the Defense Industrial Base (DIB), you need to know about the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program. Introduced in 2019, CMMC will go into effect in May 2023.
 
But first: what is the CMMC program? It’s the DoD’s response to increased cyber risk due to the loss of Controlled Unclassified Information (CUI) from the DIB. The CMMC is designed to standardize cybersecurity standards throughout the DIB and better secure CUI.
 
The Department of Defense initially released v 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework in January 2020. The goal of the document was to ensure appropriate levels of cybersecurity practices and processes were in place to protect federal contact information (FCI) and controlled unclassified information (CUI).
 

Definition: CUI
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

 
Since the release of 1.0, CMMC has undergone significant revisions. Today CMMC 1.0 has been updated to CMMC 2.0. While the DoD could expedite the model’s role out, CMMC 2.0 is expected to go into effect in May 2023 and be in contracts by July 2023. That means you have a short time to get your house in order, so that you can remain competitive in the DIB. This blog to help you get started. This post will provide an overview of CMMC 2.0, its practices and levels, and what you need to know to get started with your compliance journey.
 

What is CMMC 2.0 and How Does it Differ from 1.0

The DoD introduced its CMMC initiative in mid-2019 and released CMMC 1.0 in early 2020. The initial program called for external audits of each and every one of the hundreds of thousands of companies doing work for the DoD —all within five years.

Quick Guide to Get Started with CMMC

PreVeil’s CMMC white paper provides a concise overview of required security controls as well as an explanation of how PreVeil addresses them. Start your CMMC journey by downloading it!

Download now

 
SMBs quickly pushed back. Hundreds of public comments expressed concerns about the complexity of the CMMC framework. The costs of compliance and third-party certification would force SMBs out of the DIB.
 
Congressional hearings followed, and in November 2021 DoD released its much-streamlined CMMC 2.0 model. The new program focuses on reducing costs for SMBs and aligning cybersecurity requirements with other federal requirements. The DoD reshaped CMMC to follow a security-first approach that would be accessible even to smaller companies.
 

CMMC 2.0 differs from 1.0 in the following key ways:

  • It trims the number of CMMC levels from five to three. The new CMMC 2.0 levels are: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).
  • CMMC 2.0 dropped 20 security requirements for the new CMMC Level 2. It now dovetails completely with the 110 security controls of NIST SP 800-171. The new Level 2 certification will indicate that an organization is able to securely store and share CUI.
  • Whereas POAMs were not allowed in 1.0, CMMC 2.0 will allow for limited use of Plans of Actions and Milestones (POAMs). POAMs can only be used for 1 and 3 point controls and a very limited number of 5 point controls.
  • Waivers for certification will be permitted in very limited circumstances.
Plans of Action and Milestones and Waivers

The CMMC 2.0 model allows limited use of Plans of Actions and Milestones (POAMs). At the time of assessment, an organization can submit a POA&M in lieu of meeting certain non-critical security controls. POAMs will only be accepted for 1 and 3 point controls. POA&Ms will not be accepted for the majority of controls worth 5 points. This is a significant change from CMMC 1.0, which did not allow POAMs and instead made CMMC certification the basis of go/no-go decisions for contract awards.
 

Definition:POA&M
 
POAM stands for Plan of Action and Milestones. A POAM is a plan that indicates the specific measures that a DIB company will take to correct deficiences found during a security control assessment. The POAM should identify which tasks should be done as well as the resources required to make the plan work.

 
The DoD is also planning to establish a minimum SPRS score that must be achieved when POAMs are used to support attainment of the new CMMC levels, and POAMs will be time-bound, with limits strictly enforced. DoD has not yet made a final decision regarding those time limits, but has indicated it is considering 180 days. While also unknown, many CMMC experts expect that the 180-day POAM clock will start upon award of a contract, either by DoD to a prime or by a contractor to a subcontractor.

What are the 3 levels of CMMC 2.0

CMMC 2.0 lowers the number of CMMC levels from five to three. It does this by cutting the old levels 2 and 4, which were originally developed as transition levels. The new CMMC 2.0 levels are based on the type of information DIB companies handle.
 

  • Level 1 (Foundational) only applies to companies that focus on the protection of FCI. It is comparable to the old CMMC Level 1. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. These controls look to protect covered contractor information systems, limit access to authorized users.
  • Level 2 (Advanced) is for companies working with CUI. It is comparable to the old CMMC Level 3.
    CMMC 2.0 Level 2 (Advanced) requirements will mirror NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC will be eliminated. Instead, Level 2 aligns with the 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI. Accordingly, the 20 requirements in the old CMMC Level 3 that the DoD had imposed were dropped, meaning that the new Level 2 (Advanced) is in complete alignment with NIST SP 800-171.
  • Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. It is comparable to the old CMMC Level 5. The DoD is still determining the specific security requirements for the Level 3 (Expert), but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.

 

14 NIST 800-171 Families


The DoD understands the pain of having many different regulations to adhere to, each with their own set of requirements. Going forward, the DoD is committed to working with NIST to add new CMMC requirements as the need arises. This collaborative approach to the CMMC program will make it easier for other federal agencies to adopt.

Who needs CMMC certification?

Every contractor in the defense industrial base must conduct a self-assessment once per year. However, the same is not true for third-party assessments. CMMC 2.0 understands that different types of sensitive information require different degrees of protection. As such, third-party assessment requirements will consequently be based on the type of information DIB companies are working with.
 
Companies seeking Level 1 requirements will not require 3rd party certification. Instead, the contractor must specify the people, technology, facilities and external providers within their environment that process, store or transmit FCI. Companies will be required to self-certify once per year that they meet the basic safeguarding requirements for FCI specified in FAR clause 52.204.21
 
If you’re seeking CMMC level 2, you can expect to need a third-party assessment every three years. The DoD has rolled back its earlier statements that it will bifurcate level 2 requirements. This means that you should plan on being assessed by accredited C3PAOs (CMMC Third Party Assessment Organizations) or certified CMMC Assessors.
 
Companies seeking Level 3 (Expert) compliance will need to meet the security requirements specified in NIST SP 800-171 plus a subset of requirements specified in NIST SP 800-172. The DoD is still in the process of determining how organizations seeking level 3 compliance will be assessed. However, those companies will require a DIBCAC audit to achieve compliance.
 
At present, no assessments by C3PAOs of defense contractors are currently taking place. The DoD is expected to rollout the final assessment process for C3PAOs in the summer of 2022. At that time, contracts will be able to undergo voluntary assessments with certified C3PAOs.

CMMC 2.0 Timeline – When will CMMC be in contracts?

The DoD’s Stacy Bostjanik recently announced that the likely date of the CMMC 2.0 interim rule is May 2023. CMMC 2.0 will go into contracts 60-days later in July 2023.
 
While updated contracts are phased to begin between 2023-2026, there is no reliable way for companies to predict which group they’ll fall into. This means that all 80,000 businesses in the DIB who handle CUI should plan to be compliant with CMMC Level 2 by July 2023.

Cost of CMMC 2.0 compliance

CMMC 2.0 costs are projected to be significantly lower relative to CMMC 1.0 as a result of plans to streamline requirements at all levels, increase oversight of the third-party assessment ecosystem, and allow contractors at the new Level 1 to perform self-assessments rather than undergo third-party assessments.That said, the cost of CMMC compliance depends on a number of factors.*

Size

While the size of the organization seeking compliance can have a significant impact on overall project costs, the actual number of employees accessing CUI is the more significant driver in determining overall costs of CMMC compliance. As such organizations should limit the the number of employees and technologies touching CUI in order to best manage the compliance boundary and cost.

Maturity

If you’re starting from scratch, your compliance journey will likely cost more, and take longer, than a company that’s further along in their process to start with. Things to consider include the overall maturity level of documentation development, technology implementation, and what processes and procedures are already documented and in use.

Technology Implementation

Achieving CMMC compliance will require a combination of policy as well as technology. The more technologies though that your organization has to implement, the greater your costs. Some of the more expensive technologies include SIEM, vulnerability scanning tools and FIPS 140-2 validated technology tools.

Cost Breakdown

For most organizations, consulting costs will make up the bulk of their budget. This includes policy, procedure, documentation creation and gap analysis. Current industry standards show consulting costs range from between $5,000-$25,000 on consulting costs alone as a SMB.
 
The industry standard for technology solutions, including managed services, are between $1,000-$2,500 per month.
 
Your CUI technology solution will make up the rest of your budget. These solutions typically cost between $30-$80 per user per month.
 
*Note: The cost figures presented here are industry averages. Depending on your organization’s maturity, your costs may vary.

How to get started with CMMC 2.0 compliance

If you’re a defense contractor looking to start your CMMC compliance journey, you should look to meet the 110 controls in NIST 800-171. Don’t procrastinate. Preparation to meet these controls can take up to 18 months.

Schedule a Compliance Consult with PreVeil:

 
Set up a 15 minute session and get answers to your CMMC 2.0, NIST 800-171 & ITAR questions.

PreVeil’s encrypted Drive and Email support compliance with virtually all the new CMMC Level 2 requirements related to the communication and storage of CUI. In contrast, most widely-used commercial systems used to store and share CUI do not comply with the Level 2 requirements. Organizations using those standard commercial solutions will need to adopt new platforms to improve their cybersecurity, achieve CMMC Level 2, and win DoD contracts.
 
PreVeil Drive and Email can help your organization achieve NIST SP 800-171 compliance and, when the time comes, CMMC Level 2 certification — a straightforward step given that the new Level 2 requirements will mirror NIST SP 800-171. PreVeil also helps your organization comply with other federal cybersecurity regulations including DFARS 252.204-7012 and ITAR 120.54.

Conclusion

The new CMMC’s cybersecurity standards will better arm the DoD in its efforts to defend against cyberattacks that threaten U.S. advantages in the military, technological and commercial realms. But it’s clear that the DoD cannot wait for CMMC 2.0 to be implemented to improve cybersecurity in the DIB. While the new CMMC 2.0 model works its way through the federal rulemaking process, enforcement of federal cybersecurity regulations governing defense contractors has stepped up.
 
A key target for enforcement is NIST SP 800-171, which has stipulated security controls necessary to protect CUI since 2017. Compliance with NIST SP 800-171 now will smooth your company’s path to the new Level 2 Advanced, which matches its 110 controls perfectly, when CMMC 2.0 becomes law.
 
It is important that organizations handling CUI and seeking future DoD contracts get started on the compliance path. Even as the final CMMC 2.0 ruling is winding its way through DoD, NIST 800-171 continues as the standard which organizations must seek to comply with. If you’re a defense contractor, or plant to seek DOD contracts that may include CUI, you need to get started with your NIST compliance path today.


To learn more about how PreVeil’s state-of-the-art platforms can help your organization , please contact us at preveil.com/contact or (857) 353-6480.