The original CMMC framework put up high hurdles for defense contractors to clear. It introduced 20 new security controls on top of NIST SP 800-171 for companies that handle Controlled Unclassified Information (CUI). It also expected 100% compliance before any work could start on defense contracts. Under the original CMMC, Plans of Actions & Milestones (POA&Ms)—which give contractors the opportunity to show how they will meet any unmet controls over time—would not have been permitted.
CMMC 2.0 however significantly improves the original CMMC framework by taking a security-first approach and making the path to compliance smoother—particularly for small to mid-size businesses (SMBs). This blog explains how.
DoD has dropped its proposed 20 new security controls and instead has committed to aligning CMMC 2.0 and National Institute of Technology and Standards (NIST), making compliance requirements clear and more consistent for defense contractors.
The new CMMC Level 2 requirements will mirror the 110 security controls of NIST SP 800-171, developed by NIST specifically to protect CUI. Defense contractors that handle CUI have been required to comply with NIST SP 800-171 as part of their DFARS contract obligations since 2017, and to report those scores to the DoD’s Supplier Performance Risk System (SPRS) since 2020.
CMMC 2.0 will allow the use of Plans of Actions & Milestones (POA&Ms) to help achieve compliance, unlike the original CMMC framework. In other words, you won’t be operating under a pass/fail system to do work for the DoD. Instead you can take a more robust approach to compliance by focusing on security first, and breaking your journey down into doable parts. That starts by assessing and documenting the required CMMC 2.0 security controls that your organization meets, and creating a POA&M for the controls you don’t meet.
POA&Ms lay out your path to compliance by identifying action items to meet unmet security controls, who’s responsible for taking those actions, milestones to achieve along the way, and completion dates.
Note that DoD’s allowance of POA&Ms is not an opening for companies to skirt security requirements. Under CMMC 2.0, POA&Ms will be time-limited; while not yet finalized, the DoD has indicated that the limit will be 180 days. Additionally, under CMMC 2.0 POA&Ms won’t be permitted for certain high-priority security controls.
These key changes in CMMC 2.0 highlight the DoD’s security-first approach to protecting CUI. Without POA&Ms, for example, it’s more likely that defense contractors would focus on checking off long compliance lists as quickly as possible so as to meet 100% of the requirements. This compliance-first approach most often leads to patching together various disjointed tactics—and inevitably compromises data security in the process.
The NSA’s memorandum, Embracing a Zero Trust Security Model (February 2021) explains:
Instead, NSA recommends a Zero Trust model, an integrated and modern approach to cybersecurity. Zero Trust “eliminates trust in any one element, node, or service” and “assumes that a breach is inevitable or likely has already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.”
PreVeil is an example of a platform that takes a security-first approach, which compliance logically follows. Its end-to-end encrypted platform embeds Zero Trust principles to protect CUI, and helps defense contractors comply with the new CMMC Level 2 security requirements. It also helps meet contractual obligations stipulated in DFARS 252.204-7012, FIPS 140-2, and ITAR.
While the changes to CMMC are good news, especially for SMBs, you’ll still need to make a determined effort to achieve CMMC certification. PreVeil can help, as shown in an actual case study.
An SMB defense contractor was selected to undergo a DoD assessment of the 110 NIST 800-171 controls. Upon the advice of their expert consultant, the SMB deployed PreVeil as a simple overlay to their existing Microsoft O365 environment since Microsoft’s commercial environment cannot be used for storing and sharing CUI. The contractor’s score dramatically improved since PreVeil’s platform supports 84 out of the 110 NIST controls – including all the controls related to the protection of CUI and those most highly valued in NIST’s Assessment Methodology scoring system.
After deploying PreVeil and submitting its Security System Plan (SSP), the defense contractor was ready for its DoD assessment. The assessor found just one control that needed remediation. The contractor was able to create a POA&M and quickly take action to address the finding. Soon thereafter, the contractor was reassessed by DoD and achieved the highest possible score, 110 out of 110, on its NIST SP 800-171 assessment.
This case study not only highlights the power of PreVeil’s platform but also that the contractor was able to achieve compliance with the the 110 NIST 800-171 controls by relying on CMMC 2.0’s allowance of POA&Ms and its security-first approach to compliance.
As the case study shows, POA&Ms open the way to a robust, security-first approach to compliance by allowing contractors to level up their security — with a platform such as PreVeil- and then work on continuing to improve over time as needed. The benefits of alignment of CMMC and NIST security controls are also clear: not only does alignment simplify compliance, it also means that the progress your organization makes now toward NIST compliance will lead to CMMC certification too.