What DoD Contractors Need to Know about CMMC 2.0

You Can Start Preparing For CMMC 2.0 Compliance Now

The Cybersecurity Maturity Model Certification (CMMC) program was first introduced by the Department of Defense (DoD) nearly two years ago, in January 2020. Defense contractors and subcontractors were able to begin the process of becoming compliant as early as November 2020, as the CMMC Accreditation Board approved the first group of Registered Provider Organizations (RPOs) to assist contractors in preparing for the mandatory CMMC compliance assessments.

Fast forward to November 4, 2021, when the DoD introduced CMMC 2.0, with some significant changes from the original model. In this post, we’ll review those changes and the reasons for them and offer DoD contractors and subcontractors some tips for preparing for CMMC 2.0.

The Urgency Around CMMC

The Cybersecurity Maturity Model Certification (CMMC) was developed to better protect the sensitive data housed in defense contractors’ networks and information systems, which have proven to be attractive targets for hackers, unfriendly nation-states, and evolving advanced threats.

Nation-states and adversaries of the U.S., including China and Russia, are known to have accessed websites of various defense contractors in order to steal high-value intellectual property. Designs of certain fighter jets have been stolen and used to manufacture cheaper replicas that have been added to adversarial military defenses or offered for sale to secondary nations. Compare the U.S. F-35 to China’s recently introduced J-31, for example.

In the fiscal year 2020, defense contract spending reached a record high, representing nearly two-thirds of overall federal contract spending, according to Bloomberg Government. 

In FY 2020, the DoD awarded a total of $421.5 billion in defense contracts, with the lion’s share going to the largest contractors. This figure is up more than 10% from $382.6 billion in FY 2019. 

Among the Top 100 prime contractors, defined as those who work directly with the DoD, are some of the largest aerospace, engineering, communications, health, pharmaceutical, computing, and electronics manufacturers in the U.S.

In their central roles in the defense industrial base, they possess highly sensitive information, including intellectual property, that constitutes a lucrative target for hackers and other adversaries.

The Burden on Smaller Contractors

Of the total 220,966 contactors who comprise the defense industrial base (DIB) according to the Federal Procurement Data System, 74% are small suppliers and subcontractors who don’t have access to sensitive data known as Controlled Unclassified Information (CUI).

Unfortunately, these smaller businesses have been overwhelmed by the complexity of the new cybersecurity compliance model, as is often the case with federal regulations. Our blog of January 12, 2021, noted that the original CMMC model is highly complex, encompassing a variety of requirements across five certification levels ranging from Basic Cyber Hygiene (Level 1) to Advanced/Progressive Cybersecurity (Level 5). Smaller subcontractors were placed at a distinct disadvantage by the original CMMC model and, as it turns out, unnecessarily so.

CMMC 2.0 Simplifies the Compliance Model

A Department of Defense news release on November 4, 2021, announced a strategic redirection of the compliance model for reasons cited below, which takes into account the unnecessary burden originally placed on three-quarters of the DIB.

The enhanced CMMC program, called CMMC 2.0, maintains the program’s original goal of ensuring that sensitive information is effectively protected while making these key strategic changes:

• Simplifying the CMMC standards and clarifying cybersecurity regulatory, policy, and contracting requirements;
• Applying the most advanced cybersecurity standards and third-party assessment requirements to contractors who support the DoD’s highest priority programs (generally the prime contractors); and
• Increasing DoD oversight of professional and ethical standards in the assessment ecosystem, rather than leaving it all to the Cyber AB (formerly known as the CMMC Accreditation Body.)

Together, these strategic enhancements intend to serve three primary purposes, including:

• Ensuring that designated contractors are held accountable for implementing the cybersecurity standards while minimizing barriers to compliance with DoD requirements;
• Creating a collaborative culture of cybersecurity and cyber resilience between DoD and its extensive supply chain, the defense industrial base; and
• Enhancing public trust in the CMMC ecosystem, while at the same time increasing overall ease of execution.

Clearly, the keywords around the new CMMC 2.0 are simplifying and streamlining. So, just how has the CMMC been simplified and streamlined?

From Five Levels to Three Levels

The most meaningful change is that the CMMC 2.0 model now encompasses three levels of cybersecurity maturity, as described below, rather than the original five.

In CMMC 2.0 the three maturity levels reflect the type of information a defense contractor or subcontractor handles, processes, or is otherwise responsible for. The compliance requirements for each level follow suit. It is vital to understand these distinctions in preparing for CMMC 2.0.

• Level 1 – Foundational. Maturity Level 1 applies the 17 security requirements that align with the 15 cybersecurity practices detailed in FAR 52.204-21, which governs the Basic Safeguarding of Covered Contractor Information Systems. These requirements are also mandated in the Federal Code of Regulations 48 CFR § 52.204-21. This is unchanged from CMMC 1.0. Contractors or suppliers who only handle Federal Contract Information (FCI) are considered Level 1 since this type of information requires protection but is not critical to national security. Companies at this level must conduct annual security risk assessments, document results, and remediate the gaps to prove compliance. They may opt to self-assess or to use the services of a qualified third-party assessor.
• Level 2 – Advanced. This maturity level is aligned with NIST 800-171 and its 110 security practices. It is applicable to members of the defense industrial base who handle, process, or are otherwise responsible for Controlled Unclassified Information (CUI). If the CUI is critical to national security (such as a highly sensitive project), the contractor must complete, document, and submit a third-party assessment every three years. If the CUI is not critical to national security, the company may conduct an annual self-assessment or hire the services of a qualified third-party assessor.
• Level 3 – Expert. This maturity level applies to contractors with the highest-priority programs who handle Controlled Unclassified Information (CUI) that is critical to national security. It is aligned with NIST 800-172, with more than 110 security practices. Contractors at this level must complete third-party assessments every three years with close government oversight. At this level, they must be able to demonstrate penetration-resistant network and system architecture, damage-limiting operations, and cyber-resilience or event survivability. Their compliance with CMMC 2.0 is a matter of national security.

This diagram clearly illustrates the evolution from CMMC 1.0 to CMMC 2.0 and is an excellent aid in preparing for CMMC 2.0 compliance.

Remediation

Fixing the security problems detected in a security risk assessment, known as remediation, is a central theme of CMMC 2.0 compliance at all three cybersecurity maturity levels.

Contractors will need to prepare a Plan of Action and Milestones (POAM) and a Corrective Action Plan (CAP) and will need to track and document all remediation activities and dates. In order to achieve CMMC certification when the time comes, all open items must be remediated. Gaps in security must be closed to prevent hackers and other adversaries from stealing sensitive information and intellectual property from the U.S.

Assessing networks, systems, technologies, processes, and other factors in order to identify your security shortfalls is a vital first step. Acting on that information by remediating those shortfalls is an equally crucial step. Attesting that gaps have been addressed without doing so is a false claim that is subject to severe penalties.

What Next?

The new CMMC 2.0 will move through the federal rulemaking process for the next 18 to 24 months, after which the final CMMC 2.0 structure and requirements will be signed into law. While there are a few minor questions to be resolved, it is generally believed that the streamlined CMMC 2.0 and its three maturity levels will be adopted as proposed.

In the meantime, defense contractors and subcontractors should not lose the momentum they have built-in preparing for compliance with the original CMMC. The best advice is to remain engaged and begin preparing for CMMC 2.0 compliance now.

If you are not certified at the required level when your contract comes up for rebidding or renewal, your contract and future work will be at risk. Conversely, if you prepare early and take the steps we know will be required, you will enjoy a competitive edge over contractors who are not preparing for CMMC 2.0.

There is an effective way to prepare for CMMC 2.0 that you can begin today.

Preparing for CMMC 2.0

The bulk of CMMC 2.0 compliance has been clearly laid out. After successfully developing a CMMC Readiness Service to thoroughly prepare contractors for compliance and assessment with the original CMMC, 24By7Security has updated this service to reflect CMMC 2.0.