What Is CMMC Compliance, and how has CMMC changed in 2.0?
The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) is a unified standard for implementing cybersecurity across the Department of Defense (DoD), as well as any contractor that works with it. It verifies that suitable levels of cybersecurity systems and processes are established to ensure fundamental cyber hygiene practices. CMMC is designed to secure controlled unclassified information (CUI) stored on networks of DoD contractors.
The DoD released the proposed CMMC version 2.0 to the public on November 17, 2021. CMMC 1.0 was suspended as a requirement immediately upon release of the proposed version 2.0 (see this notice in The Federal Register).
Who Needs CMMC?
CMMC 2.0 is currently not mandatory until the proposed CMMC 2.0 standard is finalized under title 32. A future requirement for CMMC 2.0 compliance is entirely foreseeable. CMMC 2.0 level 1 compliance can be achieved through a self-assessment.
What Are the CMMC Levels?
The CMMC model includes 3 levels, each with a corresponding set of practices and processes. The DoD may require contractors to meet both the associated practices and the given processes to achieve each specific CMMC level. Level 3 is currently undefined, but is likely to be similar to the previous CMMC 1.0 level 5, per guidance in the Federal Register. Below is a summary of the process and practice standards for each of CMMC’s five levels.
CMMC 2.0 Level 1
Level 1 parallels the FAR 52.204-21 requirements, which all federal contractors must meet. If you’re already doing business with the DoD, you should already be compliant. The 17 controls outlined in Level 1 are all basic cyber hygiene practices and outline the bare minimum any contractor should already have established.
CMMC 2.0 Level 2
CMMC 2.0 Level 2 parallels CMMC 1.0 Level 3, marking a major jump in requirements under this new security framework. Level 2 requires you to establish, maintain, and resource a plan that demonstrates the management of activities for practice implementation. Your plan may include information on missions, goals, project plans, resourcing, required training, and involvement of key stakeholders.
Level 2 is all about the protection of CUI and includes all security requirements specified in NIST SP 800-171, plus some additional methods to mitigate threats.
You should expect to need at least a Level 2 CMMC certification in the future if you store, process, or transmit CUI or hold export-controlled data—defined as “information or material that cannot be released to foreign nationals or representatives of a foreign entity, without first obtaining approval or license from the Department of State for items controlled by the International Traffic in Arms Regulations (ITAR).”
Please note: ITAR only applies in very specific circumstances. If you’re not exporting material, munitions, or data you very likely do not have any ITAR requirements.
CMMC 2.0 Level 3
As mentioned above, CMMC 2.0 Level 3 is currently undefined but is likely (per the Federal Registry) to resemble CMMC 1.0 Level 5. Level 3 requires you standardize and optimize process implementation across the organization. At the same time, its practices center on protecting CUI from advanced persistent threats (APTs), increasing the depth and sophistication of your cybersecurity capabilities.
How Should You Prepare for CMMC?
Achieving CMMC compliance takes time. Plan for at least six months if you’re starting from scratch. From drafting policies and deploying solutions to establishing essential cultural changes within your organization, your efforts will quickly add up.
Five Questions Every DoD Contractor Should Ask Themselves
1. Is your organization NIST 800-171 compliant?
According to NIST 800-171 (which aligns with CMMC Level 3), contractors should routinely assess their organizational systems’ security controls to determine their effectiveness. So, in preparation for CMMC, assess your current organization for NIST 800-171 compliance.
2. Do you have an updated system security plan (SSP)?
NIST 800-171 also requires contractors to document and update SSPs, including company policies, network diagrams, and relationships with other systems. If you don’t already have an SSP, create one. If you do have one, make sure it’s up to date.
3. Have you created a plan of action & milestones (POA&M)?
Your POA&M documents the remediation project plan and help establish timelines and anticipated resource requirements.
4. Have you implemented a remediation plan?
Completing the POA&M will go a long way toward ensuring compliance with NIST 800-171 and your existing contracts, while also preparing for the full CMMC 2.0 rollout.
5. How do you plan to maintain compliance?
Once you’ve achieved compliance, you’ll need to create a plan to retain it. While often overlooked, maintaining compliance with the DoD’s rigorous security standards may prove challenging and requires a documented strategy and near-daily execution.
As with any comprehensive security program, meeting the requirements of CMMC demands an integrated approach entailing several different solutions. Everything from compliance platforms, encrypted assets, and data backups to monitoring and management solutions must seamlessly work together to eliminate vulnerabilities and ensure CMMC certification.
Should You Outsource Your CMMC Program?
If you have the necessary resources and IT staff at your disposal, you may want to prepare for your desired CMMC cybersecurity certification in-house. The Self-Assessment Handbook—NIST Handbook 162—is a great way to get you on the road to Level 2 CMMC compliance.
That said, don’t make the decision to keep your CMMC program in-house lightly. If you don’t pass the third-party CMMC audit on the first try, you’ll need to correct any security shortcomings and contend with a potential backlog of audits before getting a second opportunity. Lengthy delays could be extremely costly if you rely on DoD contracts for a significant percentage of your revenue.
If you don’t have the resources or internal expertise to take on the requirements of CMMC, outsourcing is a wise option. As the market leader in security operations, Arctic Wolf can guide you through the process, help you put an appropriate security plan in place, and save you time and money.
Discover how Arctic Wolf can help your organization meet its CMMC compliance needs.