Cybersecurity Maturity Model Certification (CMMC) compliance has become essential for U.S. Department of Defense (DoD) contractors and vendors.
Established to provide a standard cybersecurity framework for DoD information cyber protection and supply chain resilience across the Defense Industrial Base (DIB), the CMMC framework protects sensitive, unclassified DoD information shared by DoD with contractors, vendors and suppliers.
CMMC establishes cybersecurity standards and dictates demonstration of compliance through self-assessment, third-party assessment, or, in some cases, government-conducted assessments. As a DoD-directed standard and with the application of the framework across hundreds of thousands of DoD contractors and suppliers, CMMC has also emerged as a credible cybersecurity framework for organizations required to protect sensitive information.
What exactly is the current state of CMMC policy, how do organizations become compliant/certified, and what is the projected impact of CMMC on cybersecurity outside of the DIB ecosystem?
Implementation of the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021 in November 2020 activated the initial version of CMMC Version 1.0, which identified five levels of cybersecurity and required DoD contractors and vendors to demonstrate compliance through third-party assessments. In March 2021, DoD initiated a comprehensive review of CMMC 1.0, resulting in the generation of CMMC 2.0, which improves and streamlines the program. Version 2.0 enhanced accountability, recognized self-assessment, minimized barriers to compliance and made the program more robust.
CMMC 2.0 simplifies the certification process and includes the following changes:
• Reduces the number of defined cybersecurity certification levels from five to three, eliminating CMMC 1.0 levels two and four. The new levels are:
Level 1 (Foundational), fundamental cybersecurity practices, which include password management and utilization of patches to keep systems updated, is designed primarily for small businesses with minimal risk to their data;
Level 2 (Advanced), which builds on Level 1 and incorporates 110 NIST controls focusing on access control, incident response, risk management, physical security and system integrity, targets organizations handling information more sensitive than in Level 1;
Level 3 (Expert), which dictates the most comprehensive and sophisticated security practices with additional emphasis on information protection, detection and response, is intended for organizations handling the most critical, non-classified DoD information.
• Removes unique CMMC practices from all levels;
• Permits annual self-assessments and affirmation for Level 1;
• Requires third-party assessment for prioritized Controlled Unclassified Information (CUI) acquisitions;
• Requires annual self-assessment and affirmation for non-prioritized CUI acquisitions;
• Requires Government conducted assessments for CMMC Level 3 (Expert) certification;
• Implements CMMC-specific Plan of Action and Milestone processes.
While CMMC represents the cornerstone of the DoD shared information cybersecurity and supply chain security, the standard and broader ecosystem remains a work in progress. For the more than 300,000 government contractors, suppliers and vendors, the lack of a final framework presents challenges, including overcoming bureaucratic and pricing roadblocks and implementation of approved security practices at scale.
CMMC 2.0 is expected to be available in late 2025-early 2026. While the proposed rule changes are still under review, stakeholders in both industry and government can prepare themselves for the coming CMMC assessment and certification changes. Stakeholders can prepare by participating in early adopter programs, conducting self-assessments and attending various types of professional training. In addition, the DoD has launched programs such as Project Spectrum in conjunction with the Navy to help small businesses with training and assessments of their IT systems.
CMMC 2.0 certification is projected to be relatively straightforward. The certification process will include the following steps:
• Become familiar with CMMC 2.0 requirements;
• Determine the specific applicable certification level;
• Conduct “gap” analysis;
• If required, select an accredited CMMC Third Party Assessment Organization;
• Perform the formal assessment;
• Document and remediate assessment findings;
• Submit findings and remediation actions to the CMMC-AB for certification.
CMMC standards are still being finalized, and requirements will likely drive additional updates, but, in the end, compliance will be mandatory for organizations dealing with sensitive DoD information. But what about those companies that have no interest in government contracting that regularly support clients requiring a heightened level of cybersecurity?
Given the rising cyber threat level and the need for approved cybersecurity frameworks, the CMMC offers a comprehensive, proactive, best practices approach. Implementation of the framework would vastly improve data protection across the non-DoD cyber landscape.
CMMC compliance can also play a role in product/service marketing, helping companies to attract and win new customers. As cyberattacks become an almost daily occurrence, more organizations are demanding that vendors and suppliers demonstrate heightened levels of security. CMMC certification sends a strong message that a provider understands the importance of cybersecurity and has taken the difficult but necessary steps to protect client information.
Image source: 2023/01/vecteezy_cybersecurity-management-with-online-authentication_10727507_963.jpg