CMMC 2.0 Compliance – Why You Can’t Wait
Do you support the U.S. Department of Defense (DoD) either directly as a contractor or indirectly as a subcontractor? If yes, you are required to comply with CMMC 2.0.
It doesn’t matter whether you develop or deliver a product, or a service, for the DoD. Whether your product is an aircraft, a computer, or a fax machine. Whether your service is aircraft maintenance, cloud storage, or fax repair. Or any other product or service.
What DOES matter, for purposes of CMMC 2.0 compliance, is the type of information you collect, create, transmit, or receive during the course of fulfilling your contract or subcontract.
Two Types of Information Drive CMMC 2.0 Compliance
If you handle federal contract information (FCI) and/or controlled unclassified information (CUI) as part of your contractual work with for DoD, you are required to demonstrate compliance with the CMMC 2.0 cybersecurity framework in order to maintain your DoD contract.
This requirement applies to any organization, regardless of size or industry. It applies whether you create the information, file or store it, transfer or distribute it, archive or dispose of it, or are otherwise responsible for it. Failure to comply—and to have your compliance certified—is likely to jeopardize your DoD work once the CMMC 2.0 requirement begins appearing in DoD contracts next year.
The good news is that you still have time (just) to become compliant and attain certification before this requirement takes effect. But you need to get started now.
Why CMMC 2.0 Compliance is Mandatory
For reasons of national security, the DoD needs to make sure its extensive supply chain is protected from data breaches and other cyber threats. One weak link is all it takes to potentially jeopardize the entire chain. More than 200,000 organizations comprise the DoD supply chain, with varying degrees of cybersecurity and information security safeguards in place.
Controlled unclassified information (CUI) is very sensitive information, although it is not considered classified information.* Instead, it has been judged to be “pertinent to our national interests, or pertinent to the important interests of entities beyond the federal government.” Because of this, it requires proper protection, which is spelled out in CMMC 2.0.
Similarly, federal contract information (FCI) is “provided by or created for the DoD under a contract to develop or deliver a product or service to DoD. It is not intended for public release.” As such, it is considered sensitive enough to require proper protection, which is also spelled out in CMMC 2.0.
* Protection requirements for classified information are addressed in Executive Order 13556 rather than in CMMC 2.0.
Important Dates for CMMC 2.0 Compliance
March 2023. CMMC 2.0, which replaces and streamlines the original Cybersecurity Maturity Model Certification, is expected to be ratified and published in the Federal Register, making it officially live.
July 2023. DoD anticipates that the requirement for contractors to be CMMC 2.0 certified will begin appearing in its contracts. This gives contractors one year to prepare for compliance and become certified.
August 2022. Rather than waiting for the official launch, DoD plans to jump-start the compliance process with a voluntary, early program that allows contractors to obtain compliance assessments and certification from official third-party assessors. These early certifications will be accepted when CMMC compliance requirements begin appearing in DoD contracts next summer.
This interim program enables those who are already well along in the compliance process to continue toward certification without delay. It will also alleviate some of the high demand for compliance and certification resources that is expected next year when CMMC 2.0 goes live.
The compliance and certification process can take six months to a year, or longer, depending on these factors:
- The findings of your mandatory compliance assessment,
- How long it takes you to address those findings (i.e., close compliance gaps and fix security vulnerabilities) in order to become compliant, and
- How quickly an authorized third-party assessor can certify your compliance.
The closer we get to July 2023, the more urgent it will become to lock in an authorized third-party assessor and schedule your official compliance assessment. As of this writing, there were just 16 authorized assessors listed on the CMMC Accreditation Body website under Marketplace.
Levels of CMMC 2.0 Compliance are Based on Information Types
In CMMC 2.0, three maturity levels reflect the type of information a defense contractor or subcontractor handles, processes, or is otherwise responsible for. The compliance requirements established for each level are appropriate for each information type. It is vital to understand these distinctions as you prepare for the appropriate level of compliance.
It is also important to understand that the three levels and their respective requirements are cumulative. For an organization to attain maturity Level 2, for example, it must also demonstrate it has met the requirements of Level 1. Following are brief descriptions of the three levels.
- Level 1 – Foundational. This level of compliance is required for all contractors who handle FCI, or federal contract information—which is essentially all contractors. This level includes the 17 cybersecurity requirements specified in FAR 52.204-21 (and mirrored in 48 CFR 52.204-21). Certification at this level requires a compliance self-assessment every year, which a company executive must attest to (similar to Sarbanes-Oxley attestation). Level 1 is likely to be the only level of compliance required of the smallest suppliers and subcontractors.
- Level 2 – Advanced. This level of compliance focuses on protecting CUI or controlled unclassified information. It encompasses the 110 information security controls specified in NIST 800-171, including 61 controls for non-federal organizations (NFOs). DoD estimates that roughly 80,000 contractors will need to achieve this level of certification. Level 2 requires contractors to have an established security program along with documented evidence that the required controls are in place. It also requires contractors to pass a CMMC compliance assessment, which must be conducted by a CMMC third-party assessment organization (known as a C3PAO) that has been officially authorized by the Cyber AB (formerly known as the CMMC Accreditation Body.)
- Level 3 – Expert. This level of compliance is required for all contractors who handle CUI that is used in DoD’s highest priority programs. While the specific requirements at this level are still being finalized, we know that maturity level requirements are cumulative, so Level 3 will encompass the 110 controls specified in NIST 800-171 and the 61 NFO controls and is expected to include controls from NIST 800-172 as well. Contractors at this level must pass the Level 2 compliance assessment. They must also undergo an evaluation of their compliance with NIST 800-172, which must be conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). To receive updates on CMMC 2.0 and other cybersecurity news, subscribe to the 24By7Security blog.
Steps to Achieving CMMC 2.0 Compliance
There are a number of steps required in the journey to compliance. They occur in four distinct phases, as described below.
- Phase 1 – Gap Assessment. This includes an assessment of current gaps in your security program that prevent you from being compliant with CMMC 2.0 requirements. To know what your requirements are, you must identify the level of certification you need, which is based on the type of information you handle (FCI, CUI, or CUI for high-priority projects, as described in the three levels above). To conduct your Gap Assessment, you will need to engage a Registered Provider Organization (RPO) authorized by the Cyber AB (formerly known as the CMMC Accreditation Body.) This helps ensure that all security requirements are fully addressed at each applicable level.
- Phase 2 – Remediation. This phase includes preparing a remediation plan to address the gaps identified in Phase 1, and then executing that plan to remediate the gaps and bring your security program into compliance. Consider Phases 1 and 2 to be a dress rehearsal for Phase 3. They will help you conserve financial and other resources because you will be guided by your RPO. He or she will maintain steady focus on your assessment and remediation without being distracted by the conflicting priorities and emergencies that often plague in-house staff.
- Phase 3 – Compliance Assessment and Certification. In this phase, Level 1 contractors will conduct a self-assessment against the CMMC 2.0 compliance requirements that apply to them, and submit documentation as instructed. Level 2 and Level 3 contractors will engage a CMMC third-party assessment organization (C3PAO) that has been officially accredited by the Cyber AB (formerly known as the CMMC Accreditation Body.) Level 3 contractors will also undergo the DIBCAC evaluation. For Level 2 and 3 contractors, assessment results will be documented, and compliance certification will be awarded assuming a successful assessment. At this point, you are able to continue to perform contract work for the DoD, including bidding on new contracts and contract renewals.
- Phase 4 – Optimization. This is an ongoing maintenance phase during which you should stay informed of cybersecurity trends, new information security tools, and emerging threats. Continue to monitor your systems, networks, and security safeguards to improve your security posture in between the required periodic assessments. Your ongoing focus is on protecting the FCI and CUI you are responsible for in order to keep DoD supply chain security strong.
How to Get Started
To prepare your organization to pass the official compliance assessment and obtain certification (Phase 3), act now to engage the services of a Registered Provider Organization who has assisted other DoD contractors in getting ready for CMMC 2.0 compliance. The RPO will take you through the gap assessment and remediation (Phases 1 and 2) and help you secure a qualified C3PAO to conduct your Phase 3 assessment.
24By7Security is an authorized RPO and is listed as such in the Marketplace on the Cyber AB (formerly known as the CMMC Accreditation Body) website. We are able to assist contractors at any level in the journey to CMMC 2.0 compliance. You can learn more about our CMMC 2.0 services on the 24By7Security website.
Summary
To protect against data breaches, information security incidents, and other cyber threats, the DoD requires its extensive supply chain to comply with Cybersecurity Maturity Model Certification, version 2.0 and the most current. This model imposes a set of cybersecurity requirements at three different levels, based on the type of information contractors handle during their work with DoD.
By July 2023, those requirements will begin to appear in DoD contracts, which means contractors have 12 months to achieve certified compliance with CMMC 2.0 in order to continue bidding on DoD work. The compliance and certification process can take six to 12 months or longer depending on the current state of cybersecurity in your organization.
Engaging a Registered Provider Organization to help you prepare for CMMC 2.0 compliance is a vital first step that should be taken immediately.