The Cybersecurity Maturity Model Certification (CMMC) program was first introduced by the Department of Defense (DoD) nearly two years ago, in January 2020. Defense contractors and subcontractors were able to begin the process of becoming compliant as early as November 2020, as the CMMC Accreditation Board approved the first group of Registered Provider Organizations (RPOs) to assist contractors in preparing for the mandatory CMMC compliance assessments.
Fast forward to November 4, 2021, when the DoD introduced CMMC 2.0, with some significant changes from the original model. In this post, we’ll review those changes and the reasons for them and offer DoD contractors and subcontractors some tips for preparing for CMMC 2.0.
The Cybersecurity Maturity Model Certification (CMMC) was developed to better protect the sensitive data housed in defense contractors’ networks and information systems, which have proven to be attractive targets for hackers, unfriendly nation-states, and evolving advanced threats.
Nation-states and adversaries of the U.S., including China and Russia, are known to have accessed websites of various defense contractors in order to steal high-value intellectual property. Designs of certain fighter jets have been stolen and used to manufacture cheaper replicas that have been added to adversarial military defenses or offered for sale to secondary nations. Compare the U.S. F-35 to China’s recently introduced J-31, for example.
In the fiscal year 2020, defense contract spending reached a record high, representing nearly two-thirds of overall federal contract spending, according to Bloomberg Government.
In FY 2020, the DoD awarded a total of $421.5 billion in defense contracts, with the lion’s share going to the largest contractors. This figure is up more than 10% from $382.6 billion in FY 2019.
Among the Top 100 prime contractors, defined as those who work directly with the DoD, are some of the largest aerospace, engineering, communications, health, pharmaceutical, computing, and electronics manufacturers in the U.S.
In their central roles in the defense industrial base, they possess highly sensitive information, including intellectual property, that constitutes a lucrative target for hackers and other adversaries.
Of the total 220,966 contactors who comprise the defense industrial base (DIB) according to the Federal Procurement Data System, 74% are small suppliers and subcontractors who don’t have access to sensitive data known as Controlled Unclassified Information (CUI).
Unfortunately, these smaller businesses have been overwhelmed by the complexity of the new cybersecurity compliance model, as is often the case with federal regulations. Our blog of January 12, 2021, noted that the original CMMC model is highly complex, encompassing a variety of requirements across five certification levels ranging from Basic Cyber Hygiene (Level 1) to Advanced/Progressive Cybersecurity (Level 5). Smaller subcontractors were placed at a distinct disadvantage by the original CMMC model and, as it turns out, unnecessarily so.
A Department of Defense news release on November 4, 2021, announced a strategic redirection of the compliance model for reasons cited below, which takes into account the unnecessary burden originally placed on three-quarters of the DIB.
The enhanced CMMC program, called CMMC 2.0, maintains the program’s original goal of ensuring that sensitive information is effectively protected while making these key strategic changes:
Together, these strategic enhancements intend to serve three primary purposes, including:
Clearly, the keywords around the new CMMC 2.0 are simplifying and streamlining. So, just how has the CMMC been simplified and streamlined?
The most meaningful change is that the CMMC 2.0 model now encompasses three levels of cybersecurity maturity, as described below, rather than the original five.
In CMMC 2.0 the three maturity levels reflect the type of information a defense contractor or subcontractor handles, processes, or is otherwise responsible for. The compliance requirements for each level follow suit. It is vital to understand these distinctions in preparing for CMMC 2.0.
This diagram clearly illustrates the evolution from CMMC 1.0 to CMMC 2.0 and is an excellent aid in preparing for CMMC 2.0 compliance.
Fixing the security problems detected in a security risk assessment, known as remediation, is a central theme of CMMC 2.0 compliance at all three cybersecurity maturity levels.
Contractors will need to prepare a Plan of Action and Milestones (POAM) and a Corrective Action Plan (CAP) and will need to track and document all remediation activities and dates. In order to achieve CMMC certification when the time comes, all open items must be remediated. Gaps in security must be closed to prevent hackers and other adversaries from stealing sensitive information and intellectual property from the U.S.
Assessing networks, systems, technologies, processes, and other factors in order to identify your security shortfalls is a vital first step. Acting on that information by remediating those shortfalls is an equally crucial step. Attesting that gaps have been addressed without doing so is a false claim that is subject to severe penalties.
The new CMMC 2.0 will move through the federal rulemaking process for the next 18 to 24 months, after which the final CMMC 2.0 structure and requirements will be signed into law. While there are a few minor questions to be resolved, it is generally believed that the streamlined CMMC 2.0 and its three maturity levels will be adopted as proposed.
In the meantime, defense contractors and subcontractors should not lose the momentum they have built-in preparing for compliance with the original CMMC. The best advice is to remain engaged and begin preparing for CMMC 2.0 compliance now.
If you are not certified at the required level when your contract comes up for rebidding or renewal, your contract and future work will be at risk. Conversely, if you prepare early and take the steps we know will be required, you will enjoy a competitive edge over contractors who are not preparing for CMMC 2.0.
There is an effective way to prepare for CMMC 2.0 that you can begin today.
The bulk of CMMC 2.0 compliance has been clearly laid out. After successfully developing a CMMC Readiness Service to thoroughly prepare contractors for compliance and assessment with the original CMMC, 24By7Security has updated this service to reflect CMMC 2.0.
In addition, 24By7Security is a Registered Provider Organization (RPO) approved by the Cyber AB (formerly known as the CMMC Accreditation Body), and a number of our professional staff are trained and approved Registered Practitioners (RP).
As such, we are authorized to assist contractors in preparing for CMMC 2.0 compliance and certification. We are available to assist contractors at all levels in completing the assessments specified at each level as well as aiding remediation activities.
For example, for subcontractors at Level 1, we will conduct a complete security risk assessment that meets all requirements at this level. For Level 2 contractors, we will conduct assessments in accordance with the extensive requirements of NIST 800-171. In all cases, complete documentation is provided, and remediation assistance and other expert support are available.
24By7Security has unmatched experience in developing security frameworks that enable organizations to meet and maintain cybersecurity compliance requirements. The CMMC Readiness Service is an outstanding example of such a framework and is readily available to assist you in preparing for CMMC 2.0 compliance.
As a respected cybersecurity firm with dozens of certifications and multiple industries and professional awards, 24By7Security has conducted more than 2,000 security assessments against a variety of regulatory requirements. We are a trusted advisor to hundreds of clients in multiple industries, including many engaged in defense contracts.
If your company requires assistance in funding your initial CMMC 2.0 assessment, the South Florida Manufacturing Association sponsors a program called Florida Makes which provides grants for various purposes to companies who manufacture parts, tools, supplies, and other goods. If you are not in Florida, many other states have similar organizations.
The important message is to begin preparing for CMMC 2.0 compliance now. There is no reason to wait.
Happy Holidays!
Due to the extended holiday, we will not be posting on Tuesday, November 30. Warmest wishes for a happy holiday from your 24By7Security team!