- Why Sharetru?
- Learning Center
The body that oversees Cybersecurity Maturity Model Certification (better known as CMMC) has just announced version 2.0 of its standards. This updated version of CMMC is significant for organizations that are part of the defense industrial base — organizations numbering 300,000-plus that comprise the supply chain for defense-related projects in the United States.
See below for more details on CMMC 2.0, plus what those changes mean for organizations that work on projects with the U.S. Department of Defense.
Non-governmental contractors have always been a vulnerability when it comes to protecting defense-related information. In the 20th century, a foreign government might approach an assembly-line worker in a weapons factory to take photos or copy documents. In the digital age, those vulnerabilities have moved online. Foreign actors instead will try to hack into information systems to access what they want. That’s why, in the 21st century, data, files and other information stored on a contractor’s server can pose a serious risk to national security.
In response to this risk, the Department of Defense implemented version 1.0 of its Cybersecurity Maturity Model Certification in January 2020. With input from leading institutions in the cybersecurity space (including federally funded and university-affiliated research groups), the first draft of the CMMC outlined best practices and procedures for securing information, plus a new requirement for third-party assessments of any contractor’s compliance with CMMC.
In version 1.0, CMMC requirements were spread across five certification levels:
Not all organizations are able to reach the highest level of CMMC. But not all organizations need to. Some contracting engagements may only require Level 1. As any given organization begins working on more sensitive projects, that organization will need to “mature” up the CMMC framework, achieving higher levels of compliance.
On Nov. 4, 2021, just 20 months after the launch of CMMC 1.0, the Department of Defense announced significant changes to come with CMMC 2.0. While organizations can still mature up the CMMC framework, there are fewer levels to progress through — plus other changes in this second version of CMMC.
CMMC 2.0 does away with the five-level framework and compresses many of the same best practices into just three levels. The CMMC 2.0 levels are:
The Department of Defense will encourage its contractors to start following these cybersecurity practices as soon as possible. But don’t expect this new CMMC framework to show up in contracts until mid- to late-2022. The rulemaking process related to CMMC 2.0 is likely to drift into 2023. In total, implementation of CMMC 2.0 will be a 9- to 24-month process. So, the CMMC 1.0 phase-in announced last fall will temporarily rule.
Keep in mind that the CMMC is still relatively new. Unveiled initially in early 2020, the framework was always likely to be amended sooner rather than later. CMMC 2.0 includes updates and changes that are designed to accomplish three key objectives:
In short, any organization that hopes to be part of the defense supply chain in the United States will need CMMC certification. You can find helpful answers to frequently asked questions that walk you through requirements and how your organization should take action should it want to join the defense supply chain community in the United States.
When you’re ready to take the next step and apply for CMMC, visit the CMMC Accreditation Body’s website to complete your application.
When the Department of Defense first announced CMMC in early 2020, many were confused about the difference between CMMC and NIST — the National Institute of Standards and Technology. In short, both are designed to protect CUI, but CMMC goes further than NIST in its requirements. As you read above, the CMMC levels include many of the requirements outlined in NIST, but there are additional practices and requirements to follow.
The good news is this: Compliance with NIST 800-171 is the best first step you can take toward CMMC compliance. Once you comply with NIST 800-171, you can take additional steps to achieve CMMC compliance for the level that your organization needs under the current framework.
Organizations that regularly interact with the United States government are required to take advanced measures to protect data, files and other information, both on premise and in the cloud
Our GOVFTP Cloud was designed to help organizations safely send, receive and store sensitive government files with relevant agencies and departments. Compliance comes first with GOVFTP Cloud — it is fully compliant with requirements outlined by ITAR, DFARS, FedRAMP Moderate, DoD IL2 and others. Discover just how easy and affordable compliance can be by looking at our GOVFTP Cloud pricing plans.
Get in touch with us for a demo and to talk to an expert about how the GOVFTP Cloud can help you grow your business as a government contractor.
Arvind is Director of Compliance and Programs at Sharetru. He came to Sharetru with 11+ years of experience in offering cloud solutions to the Federal Government and public sector channels at companies such at Rackspace, IBM, UNICOM, A10 and Radware Alteon. He is based in the Washington, D.C. area.
Get industry-leading thought leadership content to stay informed, delivered to your inbox.