CMMC 2.0: How the DoD’s Cybersecurity Certification is Changing

The body that oversees Cybersecurity Maturity Model Certification (better known as CMMC) has just announced version 2.0 of its standards. This updated version of CMMC is significant for organizations that are part of the defense industrial base — organizations numbering 300,000-plus that comprise the supply chain for defense-related projects in the United States.

See below for more details on CMMC 2.0, plus what those changes mean for organizations that work on projects with the U.S. Department of Defense.

What is CMMC?

Non-governmental contractors have always been a vulnerability when it comes to protecting defense-related information. In the 20th century, a foreign government might approach an assembly-line worker in a weapons factory to take photos or copy documents. In the digital age, those vulnerabilities have moved online. Foreign actors instead will try to hack into information systems to access what they want. That’s why, in the 21st century, data, files and other information stored on a contractor’s server can pose a serious risk to national security.

In response to this risk, the Department of Defense implemented version 1.0 of its Cybersecurity Maturity Model Certification in January 2020. With input from leading institutions in the cybersecurity space (including federally funded and university-affiliated research groups), the first draft of the CMMC outlined best practices and procedures for securing information, plus a new requirement for third-party assessments of any contractor’s compliance with CMMC.

In version 1.0, CMMC requirements were spread across five certification levels:

• Level 1: Level 1 includes basic hygiene-related best practices, including the use of antivirus applications and the requirement for team members to regularly update their passwords.
• Level 2: Level 2 addresses more advanced hygiene practices like protecting Controlled Unclassified Information (CUI), which is unclassified information owned or created by the government that nevertheless requires protection and limited distribution. At Level 2, organizations must adhere to some security requirements included in the second revision of NIST 800-171.
• Level 3: Level 3 requires organizations to have an that drives the protection of CUI. At Level 3, organizations must adhere to all of the security requirements included in the second revision of NIST 800-171 “institutionalized management plan” that drives the protection of CUI. At Level 3, organizations must adhere to all of the security requirements included in the second revision of NIST 800-171.
• Level 4: Level 4 provides for ongoing reviews and tracking of cybersecurity measures. Specifically, organizations must have a process for review and performance measurement so that they can respond to the ever-changing techniques used by those who threaten security.
• Level 5: Level 5 demands the implementation of specific processes for dealing with advanced specific threats, better known as APTs. An APT is a party that has both the advanced skills and resources needed to pose a serious and ongoing threat via multiple vectors.

Not all organizations are able to reach the highest level of CMMC. But not all organizations need to. Some contracting engagements may only require Level 1. As any given organization begins working on more sensitive projects, that organization will need to “mature” up the CMMC framework, achieving higher levels of compliance.

On Nov. 4, 2021, just 20 months after the launch of CMMC 1.0, the Department of Defense announced significant changes to come with CMMC 2.0. While organizations can still mature up the CMMC framework, there are fewer levels to progress through — plus other changes in this second version of CMMC.

What Changes Does CMMC 2.0 Make?

CMMC 2.0 does away with the five-level framework and compresses many of the same best practices into just three levels. The CMMC 2.0 levels are:

• Level 1: Rather than third-party assessments of compliance, organizations at Level 1 may conduct self-assessments. They are required to follow a total of 17 best practices.
• Level 2: Organizations at Level 2 may conduct self-assessments on an annual basis if they are not interacting with critical national security information. Level 2 organizations must also follow 110 controls aligned with NIST 800-171.
• Level 3: Level 3 organizations will be subject to government-led assessments three times annually. They must follow more than 110 controls based on NIST SP 800-172.

The Department of Defense will encourage its contractors to start following these cybersecurity practices as soon as possible. But don’t expect this new CMMC framework to show up in contracts until mid- to late-2022. The rulemaking process related to CMMC 2.0 is likely to drift into 2023. In total, implementation of CMMC 2.0 will be a 9- to 24-month process. So, the CMMC 1.0 phase-in announced last fall will temporarily rule.

What Will CMMC 2.0 Accomplish?

Keep in mind that the CMMC is still relatively new. Unveiled initially in early 2020, the framework was always likely to be amended sooner rather than later. CMMC 2.0 includes updates and changes that are designed to accomplish three key objectives:

1. CMMC 2.0 is meant to reduce the burden on small- and medium-size government contractors. Large, multi-national contractors will always have more resources to dedicate to compliance. CMMC 2.0 is designed to make compliance easier for small contractors without compromising security.
2. CMMC 2.0 reduces the total number of practices to follow and cuts down the number of compliance levels. This trimming down of practices and levels allows the government to better emphasize its priorities within CMMC.
3. CMMC 2.0 promotes better cooperation between the Department of Defense and the larger industry that contracts with the DoD. CMMC 2.0 recognizes that better cooperation is the best way to address constantly evolving security threats.

Who Needs CMMC Certification?

In short, any organization that hopes to be part of the defense supply chain in the United States will need CMMC certification. You can find helpful answers to frequently asked questions that walk you through requirements and how your organization should take action should it want to join the defense supply chain community in the United States.

When you’re ready to take the next step and apply for CMMC, visit the CMMC Accreditation Body’s website to complete your application.

CMMC vs. NIST

When the Department of Defense first announced CMMC in early 2020, many were confused about the difference between CMMC and NIST — the National Institute of Standards and Technology. In short, both are designed to protect CUI, but CMMC goes further than NIST in its requirements. As you read above, the CMMC levels include many of the requirements outlined in NIST, but there are additional practices and requirements to follow.

The good news is this: Compliance with NIST 800-171 is the best first step you can take toward CMMC compliance. Once you comply with NIST 800-171, you can take additional steps to achieve CMMC compliance for the level that your organization needs under the current framework.

Start Your Journey Toward Compliance

Organizations that regularly interact with the United States government are required to take advanced measures to protect data, files and other information, both on premise and in the cloud

Our GOVFTP Cloud was designed to help organizations safely send, receive and store sensitive government files with relevant agencies and departments. Compliance comes first with GOVFTP Cloud — it is fully compliant with requirements outlined by ITAR, DFARS, FedRAMP Moderate, DoD IL2 and others. Discover just how easy and affordable compliance can be by looking at our GOVFTP Cloud pricing plans.

Get in touch with us for a demo and to talk to an expert about how the GOVFTP Cloud can help you grow your business as a government contractor.