In 2020, the Department of Defense (DoD) established the Cybersecurity Maturity Model Certification (CMMC) to combat evolving cyberthreats and safeguard Federal Contract Information (FCI) And Controlled Unclassified Information (CUI).
The framework has three key features:
- Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at advanced levels, depending on the type and sensitivity of the information.
- Assessment Requirement: CMMC assessments allow the DoD to verify the implementation of cybersecurity standards.
- Implementation through Contracts: Once CMMC is fully implemented, DoD contractors that handle FCI and CUI will be required to achieve a certain level of CMMC compliance in order to secure contracts.
After a comprehensive review in March of 2021, it was determined CMMC needed some reworking. While the rule-making efforts continue, the DoD recommends contractors continue to adhere to existing cybersecurity standards, such as compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls.
For an overview of the original CMMC design model, check out our previous post.
What Will CMMC 2.0 Look Like?
CMMC 2.0 will replace the five-level model of CMMC 1.0 with a three-tiered model. While each level follows suit of increased complexity of cybersecurity requirements, implementation will be simplified.
Controls and Requirements
The three-tiered model requirements are as follows:
- Level 1: Foundational – Level 1 remains largely the same as in model 1.0, with annual-self assessments and certifications by company leadership, as well as the same 17 controls required for protection of FCI.
- Level 2: Advanced – level 2 is based more on CMMC 1.0’s level 3, with branches of “prioritized acquisitions” and “non-prioritized acquisitions” in relation to the sensitivity of CUI. Prioritized acquisitions will require independent third-party assessment every three years, while non-prioritized acquisitions will only require an annual self-assessment and certification. Level 2 will also require compliance of NIST’s SP 800-171 controls.
- Level 3: Expert – Level 3 will replace levels 4 and 5 from CMMC 1.0. acquisitions at this level require triennial government-led assessments. Level 3 will also require compliance with NIST SP 800-172 controls.
How Does this Affect Your Organization?
While these changes include a lot of information, the new model is actually simplifying the process for DoD contractors to be compliant and receive CMMC certification. The streamlining of this model for validating contractor’s compliance to the NIST framework is actually being solidified, so depending on what type of FCI or CUI your organization handles will determine what level you must abide by.
Prepare Now
While there is still time before the specifics of CMMC 2.0 are finalized, there’s no better time than now to take a closer look at your existing cybersecurity practices. Being compliant is important, however carrying out good data hygiene and being secure during day to day operations is just as important to avoid a breach. To improve your organization’s security posture, there are five critical steps you can do now:
- Cybersecurity awareness training. Educating your people on cyber threats, sharing information, the importance of strong passwords and what malicious links look like and what they can do, and why it’s important to install security patches and updates.
- Implement access controls such as multi factor authentication and advanced threat detection
- Authenticate users for access to only systems and data that they need to perform their job functions
- Update your security protections and monitor your physical space
The DoD – and cyber security experts in general – also encourages organizations to either implement or draw on the NIST Cybersecurity Framework not only for compliance but security posture as well.
More Information to Come
CMMC 2.0 won’t be a contractual requirement until all rulemaking is complete, which can take anywhere from 9-24 months. In the meantime, contractors and suppliers should continue to adhere to the existing cybersecurity frameworks and focus on compliance with NIST SP 800-171 controls and required basic assessments.
