CMMC 2.0 Enhancements from CMMC 1.0 and How do I Meet the Requirements?

What is Cybersecurity Maturity Model Certification (CMMC) 2.0?

The Cybersecurity Maturity Model Certification (CMMC) program was enhanced in November 2021 by the U.S. Department of Defense (DoD) under “CMMC 2.0”.

Cybersecurity Maturity Model Certification (CMMC) requires contractors mature their cybersecurity defenses against evolving cyber threats. Most importantly, defense industrial base contractors safeguarding sensitive national security information FCI, CUI, and/or ITAR.

In addition, CMMC version 2.0 is structured based on three increasingly progressive requirement levels. Moreover, each level maps to the sensitivity level of the data the Defense Industrial Base or DOD Supplier is processing under their contract. The sensitive data types are Federal Contract Information (FCI), Controlled Unclassified Information (CUI), and International Traffic in Arms Regulations (ITAR) Data.

What are the CMMC 2.0 streamlined requirements?

  • Simplification compliance by allowing self-assessment for some requirements.
  • Applies priorities for protecting DoD information.
  • Reinforces cooperation between the DoD and industry in addressing evolving cyber threats.

Cybersecurity Maturity Model Certification requirements (JAN 2023) as prescribed in DFARS 204.7503(a) and (b)

(a) Scope. The Cybersecurity Maturity Model Certification (CMMC) CMMC is a framework that measures a contractor’s cybersecurity maturity to include the implementation of cybersecurity practices and institutionalization of processes (see https://www.acq.osd.mil/cmmc/index.html).

(b) Requirements. The Contractor shall have a current (i.e., not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.

(c) Subcontracts. The Contractor shall:

(1) Insert the substance of this clause, including this paragraph (c), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial products or commercial services, excluding commercially available off-the-shelf items; and

(2) Prior to awarding to a subcontractor, ensure that the subcontractor has a current (i.e., not older than 3 years) CMMC certificate at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor.

CMMC Levels Mapped to DFARS and FARS Requirements for Data Protection

CMMC Levels 1-3 Mapped to Contract and Data Protection Requirements
CMMC Level 1-3 Current Contract Requirements Data Protection Requirements
All Suppliers DFARS 204.7503(a) and (b) Sensitive Contract Data, FCI, CUI
Level 1 FAR 52.204-21 FCI
Level 2 DFARS 252.204-7012 CUI
Level 3 DFARS 252.204-7012,High Assessment CUI, Critical CUI

Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) data collected, created, transmitted, or received as a requirement of fulfilling the contract’s obligations – to develop or deliver a product or service. FCI information is not marked as public or for public release and is subject to minimum cybersecurity requirements, such as CMMC Level 1.

Typically, FCI originates from government addresses in emails, systems that store files from the government, hard drives, workstations, manufacturing devices, or backups.

Conversely, CUI data requires safeguarding through controlled dissemination even though it is not considered classified – it is information that legally cannot be made public. CUI must legally be protected even when the data is not sensitive enough to require a high-level security level clearance to access. CUI data leaked or accessed by our adversaries could negatively impact national security.

Examples of CUI include legal material, health documents, technical drawings and blueprints, intellectual property, and ITAR-controlled documents/products. The CUI Registry housed in the National Archives provides more details. Look at each category, not just the Defense category.

Lastly, ITAR data falls under The International Traffic in Arms Regulation (ITAR) controls regarding export and import of defense-related articles and services on the United States Munitions List (USML). Examples are Dual use technologies (technologies with both a military and commercial application), encryption technology, and military electronics.

Essentially, The DoD is migrating to the new CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC serves as a verification mechanism to ensure cybersecurity controls and processes are adequate to protect Controlled Unclassified Information (CUI). If FCI or CUI data is collected, transmitted, created, or stored by the DIB contractor, CMMC is a requirement.

Praetorian Secure can ease the burden of meeting CMMC compliance requirements with services tailored to help your organizations meet CMMC requirements (CMMC Level 1, CMMC Level 2, or CMMC Level 3 under development).

Levels of CMMC Compliance 2.0 Explained

CMMC 2.0 changes released in November 2021 demonstrate a commitment to adapt CMMC program requirements as threats evolve. The DoD is hardening cyber capabilities throughout the supply chain, requiring a consistent effort from DIB contractors to update their cybersecurity posture to protect sensitive data.

As an example, CMMC 2.0 now consists of three increasingly progressive levels of cybersecurity maturity, which are the following:

  • CMMC Level 1: Foundational (same as previous level 1 under CMMC 1.0)
  • CMMC Level 2: Advanced (previously level 3 under CMMC 1.0)
  • CMMC Level 3: Expert (previously level 5 under CMMC 1.0)

Per the OSUD/A&S:

  • CMMC maturity levels will range from basic hygiene to “State-of-the-Art.” In addition, the maturity levels will prescribe security controls and processes that enhance cybersecurity for DIB companies.
  • The DoD measures each contractor’s CMMC progress by how many controls NIST SP 800-171 (rev. two and NIST SP 800-172) implemented.
  • If a contractor handles Controlled Unclassified Information and DOES NOT have NIST 800-171 fully implemented, they will not meet CMMC requirements, regardless of what changes in the future.
CMMC Model Structure

Figure 1: CMMC 2.0 Model Structure — https://dodcio.defense.gov/CMMC/Model/

Level 1: Foundational Requires - 17 Practices and Self Assessment

Level 1 requires organizations to perform basic cybersecurity practices. However, they may perform these practices without relying on documentation and reach certification through an annual self-assessment. As a result, 3rd Parties don’t assess process maturity for level 1. The DoD Supply Chain Contractor is allowed to self-assess the 17 CMMC practices are in-place. In addition, practices focus on the protection of FCI, so level 1 only includes requirements for basic safeguarding as detailed in 48 CFR 52.204-21.

Who needs CMMC level 1?

DoD contractors and subcontractors that handle Federal Contract Information (FCI), or “Information not intended for public release. “That is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government” will need CMMC level 1 certification.


Level 2: Advanced - Requires Implementation of 110 NIST 800-171 Controls and Third-Party Assessment

Level 2 requires organizations to have documented processes. Additionally, Organizations must prove they follow documented processes to achieve Level 2 maturity. CMMC Level 2 practices are advanced cyber hygiene. Assessment requirements for level 2 compliance differ based on whether the CUI data handled is “critical” or “non-critical” to national security. Organizations that handle data critical to national security must pass a higher-level third-party assessment every three years, while non-prioritized acquisitions with data not critical to national security must conduct an annual self-assessment.

Who needs CMMC level 2?

DoD contractors and subcontractors that handle the same type of controlled unclassified information (CUI) must meet level 2 compliance. A lower CMMC level may apply to the subcontractor if the prime only flows down select information.


Level 3: Expert - 110 Plus NIST SP 800-171 and NIST SP800-172 Controls and Triennial Government Led Assessments

The level 3 CMMC model reduces a system’s vulnerability to advanced persistent threats (APTs) by requiring an organization to establish, maintain and resource a plan to manage the activities needed to implement its cyber security practices. This plan can include information on various specific topics, including goals, missions, projects, resourcing, training, and the involvement of organizational stakeholders. The cybersecurity practices at this level qualify as good cyber hygiene practices and focus on protecting CUI. However, they also encompass all the security requirements of NIST SP 800-171 and the other 20 requirements added for CMMC level 2. DFARS clause 252.204-7012 still applies, adding requirements beyond NIST SP 800-171, such as reporting security incidents.

Who needs CMMC Level 3?

Level 3 will apply to companies managing CUI data for high-priority DoD programs. Meaning, Contractors who under their contract with the DOD process, store, or transmit CUI, ITAR Data, Secret, Top Secret data. The requirements are comparable to CMMC 1.02 Level 5, although the DoD is still developing its specific security requirements. However, there is an indication that Level 3 requirements will follow NIST SP 800-171’s – 110 controls in addition to a subset of NIST SP 800-172 controls. Lastly, assessment will handled by government led assessment team not a third-party.


CMMC Model 2.0 Key Features

Figure 2: CMMC 2.0 Model vs. CMMC 1.0 Model — https://dodcio.defense.gov/CMMC/About/

Where does NIST 800-171 and DFARS come into play with CMMC?

Certification assessment, we should better understand DFARS and NIST SP 800-171.

The DoD is taking the process of securing the Defense Industrial Base (DIB) even more seriously than they already were. However, implementation can be challenging for small-to-medium size businesses. That said, it doesn’t have to be. Praetorian Secure has vast experience working with companies to achieve CMMC and NIST Compliance. We can navigate the difficulties with your team and transfer knowledge about the best course for implementing Cybersecurity Maturity Model requirements and certification. The benefits of working together result in reduced transition-in costs and timelines to meet your contract commitments.

 

What is at stake with CMMC Compliance? Our national security. Hackers with malicious intent, potentially against the United States of America, want (and are getting) data to our defense systems.

What is the difference between CMMC 2.0 and NIST 800-171?

The passage of the DFARS general rule in December 2020 allowed the DOD to introduce CMMC and solidify its importance in DOD contracts. CMMC level 2 is based on NIST 800-171, which specified the cyber security standards for Defense Industry Base (DIB) contractors handling CUI before the deployment of CMMC. Contractors can still refer to DFARS clause 252.204-7012 for guidance on self-assessing their cyber security capabilities until CMMC is officially required.

With the addition of DFARS 252.204-7019, which requires contractors to upload a self-assessment score, at a basic level, to the Supplier Performance Risk System (SPRS), accountability and accuracy by the contractor are far more critical than in the past. Contractors must also meet all 110 security controls in NIST SP 800-171 or provide a Plan of Action and Milestones (POAM) indicating their plan. A POAM describes the measures a DIB contractor will take to correct the deficiencies discovered during a security control assessment. This plan should identify the tasks the contractor needs to perform in addition to the resources those tasks will require. The shift from self-assessments to independent audits for cyber security compliance is one of the most significant differences between NIST 800-171 and CMMC.

Third-Party Assessors will now conduct assessments for most organizations that require Level 2 compliance, which won’t accept non-compliance with DOD cybersecurity regulations. Under NIST 800-171, non-compliance was acceptable, provided the contractor prepared a POA&M and made progress in closing their remaining gaps. CMMC and NIST SP 800-171 mandates will continue to coexist until the DOD completes the CMMC roll-out according to its existing timeline. The number of DoD contractors subject to CMMC will gradually increase over the next few years to include all these contractors, while the number of defense contractors still subject to NIST SP 800-171 will eventually drop to zero.

How Can Praetorian Secure Help With CMMC Compliance?

Regardless of how challenging CMMC requirements are before a DoD contract award, DIB contractors should be planning how to demonstrate that required cybersecurity controls are in place. In comparison, contractors who can prove they have an implementation plan and have reached an adequate security posture have a competitive advantage over other contractors. A mature cybersecurity program now becomes a differentiator in winning more DoD contract awards.

Cybersecurity Maturity Model Certification 2.0 Solutions

CMMC Data Assessment

Praetorian Secure uses the data check to identify the types of information that an organization processes. This audit can determine the correct level of CMMC Level 1-3 for the organization.

CMMC Gap Assessment

A GAP Assessment, assesses the organization’s overall security posture. This assessment facilitates the implementation of the CMMC practices and processes.

Staff Awareness Assessment

A staff awareness assessment is part of the GAP Assessment, but Praetorian Secure assess the security training of an organization’s staff with particular care. This type of audit becomes more common with higher maturity levels.

Domain And Capabilities Audit

The CMMC model includes a series of controls for each maturity level. As the name implies, Praetorian Secure will audit the domain and capabilities appropriate for the organization’s CMMC 2.0 level.

Process Integration Audit

This audit determines how well an organization has integrated security capabilities into its culture. This audit ultimately determines if the organization has reached the required CMMC maturity level.

CMMC Compliance Assessment At A Glance

Cybersecurity Maturity Model Certification (CMMC) is the verification method being used to increase the security of the Department of Defense’s supply chain, as an extension of the Defense Federal Acquisition Regulations System (DFARS) to protect DoD information.

One of the major differences between these two systems is that DFARS allows contractors to assess their own security posture, while CMMC requires independent audits from authorized third parties.  In fact, a contractor’s failure to achieve the required CMMC 2.0 level will eventually prevent that contractor from working on DoD contracts, and most likely across other Government agencies in the future.With our assistance below, you’ll learn the role of a CMMC auditor, how your organization can prepare for an audit, and best practices for CMMC compliance.

If You Have More Questions About The CMMC Audit Process

Learn how we help any individual in the DOD supply chain, including contractors who interact exclusively with the Department of Defense and any subcontractors meet all CMMC level 1-3 requirements.

What Is A CMMC Assessment?

A CMMC auditors assesses an organization’s cybersecurity posture. Also, organizations currently subject to DFARS, Prime contractors, the Defense Contract Management Agency (DMCA), and legal teams can ask for proof of NIST 800-171 compliance today. ICMMC 2.0 compliance will go into effect in May 2023 and be in DoD contracts by July 2023. Equally important, auditors and CMMC consultants will be in high demand once they become available, so contractors need to start this process as soon as possible.

What Does a CMMC Assessor Do?

An authorized CMMC auditor may conduct several types of audits, depending on the CMMC maturity level and cybersecurity standards the contractor is attempting to achieve. For instance, the complexity of this process and the contractor’s involvement can vary greatly, especially when the auditor performs multiple audits. Assessors can help contractors on their journey toward CMMC 2.0. As your organization prepares, here are some areas to focus on, before your CMMC compliance audit.

How Do I Prepare For A CMMC Assessment?

The CMMC-AB authorizes Registered Provider Organizations (RPOs) to provide the consulting and support that contractors need to meet their new obligations under CMMC.  RPOs are trusted by the CMMC-AB, as they have been trained in CMMC methodologies. Contractors can thus simplify the auditing process by partnering with an RPO. The basic steps of preparing for a CMMC audit include determining the maturity level your organization requires, assessing its current security posture, and establishing a security roadmap for achieving the required maturity level.

 

Determine your organization’s CMMC required certification level

The process of preparing for a CMMC compliance audit is highly dependent on the specific maturity level your organization requires.

“For example, a DoD contractor that won’t be working with Controlled Unclassified Information (CUI) may need to do very little to prepare for an audit, besides basic safeguarding practices. On the other hand, contractors who handle highly sensitive information may need to implement many additional security controls to achieve their required CMMC certification.”

The 17 Core Security Domains Of CMMC 2.0

CMMC 2.0 incorporates existing federal regulations regarding cyber security such as 48 CFR 52.204-21, DFARS clause 252.204-7012, NIST SP 800-171, and NIST SP 800-172 into a single set of best practices in cyber security. Furthermore, the CMMC standard 2.0 was simplified into 17 domains with 43 capabilities. The capabilities a contractor must demonstrate depend on their required CMMC level. The data below itemizes the 43 CMMC capabilities and their association with the 17 domains of the CMMC 2.0 model:

Access Control (AC)

  • Establish system access requirements
  • Control internal system access
  • Control remote system access
  • Limit data access to authorized users and processes

 

Asset Management (AM)

  • ‍‍Identify and document assets

 

Audit and Accountability (AU)

  • Define audit requirements
  • Perform auditing
  • Identify and protect audit information
  • Review and manage audit logs

 

Awareness and Training (AT)

  • Conduct security awareness activities
  • Conduct training

 

Configuration Management (CM)

  • Establish configuration baselines
  • Perform configuration and change management

 

Identification and Authentication (IA)

  • Grant access to authenticated entities

 

Incident Response (IR)

  • Plan incident response
  • Detect and report events
  • Develop and implement a response to a declared incident
  • Perform post-incident reviews
  • Test incident response

 

Maintenance (MA)

  • Manage maintenance

Media Protection (MP)

  • ‍‍Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport

 

Personnel Security (PS)

  • Screen personnel
  • Protect CUI during personnel actions

 

Physical Protection (PE)

  • Limit physical access

 

Recovery (RE)

  • Manage back-ups

 

Risk Management (RM)

  • ‍‍Identify and evaluate risk
  • Manage risk

 

Security Assessment (CA)

  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code review

 

Situational Awareness (SA)

  • Implement threat monitoring

 

System and Communications Protection (SC)

  • Define security requirements for systems and communications
  • Control communications at system boundaries

 

System and Information Integrity (SI)

  • Identify and manage information system flaws
  • Identify malicious content
  • Perform network and system monitoring
  • Implement advanced email protections

For example, organizations can demonstrate CMMC compliance with the above capabilities by adhering to a range of practices and processes. Practices are the technical activities of each capability and consist of 171 practices mapped across the three CMMC compliance levels. Processes measure an organization’s maturity in implementing cyber security procedures, which include nine practices mapped across the maturity levels.

Get Your CMMC 2.0 Consultation Today

Provide your information below and we will be happy to assist you. Someone within our organization will contact you shortly.