America’s cybersecurity experts are bracing for a fresh wave of attack s as the 2024 Presidential election approaches. With nation-states and threat actors launching cyber attacks with increasing regularity and success, and with critical infrastructure and nothing less than the sanctity of our democracy at stake, the U.S. Department of Defense (DoD) continues to tighten the security4 controls not just within its own agency but with all third-party contractors with whom it does business.
Nowhere is this more apparent than in the framework built around its Cybersecurity Maturity Model Certification (CMMC) to which all contractors within its Defense Industrial Base (DIB) must adhere.
What Is CMMC Certification, and How Has it Changed in 2.0?
The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) is a unified standard for implementing cybersecurity across the Department of Defense (DoD), as well as any contractor that works with it.
It is designed to enhance and ensure cybersecurity standards for companies in the DIB by protecting controlled, unclassified information (CUI) that is stored on the networks of DoD contractors and subcontractors. It verifies that suitable levels of cybersecurity systems and processes are established to ensure fundamental cyber hygiene practices.
The evolution from 1.0 to 2.0 began in March of 2021, with an internal review of the model that was informed by 850 public comments. The DoD spent the next eight months assessing how best to refine the policy and ensure its implementation. In November of 2021, they unveiled CMMC 2.0, touting a streamlined model with reliable assessments and flexible implementation, designed to achieve the five goals the DoD set out during its internal review:
• Safeguard sensitive information to enable and protect the warfighter
• Enforce DIB cybersecurity standards to meet evolving threats
• Ensure accountability while minimizing barriers to compliance with DoD requirements
• Perpetuate a collaborative culture of cybersecurity and cyber resilience
• Maintain public trust through high professional and ethical standards
According to the DoD, the framework has three key features:
1. Tiered Model
CMMC 2.0 requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also describes the process for information flow down to subcontractors.
2. Assessment Requirement
CMMC 2.0 assessments allow the DoD to verify the implementation of clear cybersecurity standards.
3. Implementation Through Contracts
Once CMMC 2.0 is fully implemented, certain DoD contractors that handle sensitive, unclassified DoD information will be required to achieve a particular CMMC 2.0 level as a condition of contract award.
CMMC 2.0 is currently not mandatory until the proposed CMMC 2.0 standard is finalized under title 32, which is expected in the final quarter of 2025. Future requirements for CMMC 2.0 compliance is entirely foreseeable.
What Are the CMMC 2.0 Certification Levels?
CMMC 2.0 reduces the certification levels from the five found in version 1.0 to three. Each of the three levels in version 2.0 correspond to a set of practices and processes.
CMMC 2.0 Level 1
Level 1 parallels the FAR 52.204-21 requirements, which all federal contractors must meet. It is a foundational level for companies who only handle Federal Contract Information (FCI); information which requires protection but is not critical to national security. If you’re already doing business with the DoD, you should already be compliant with Level 1. The 17 controls outlined by the DoD in Level 1 are all basic cyber hygiene practices and entail the bare minimum any contractor should already have established. These controls fall into the following six categories and are defined by the DoD as:
Access control:
• Preventing unauthorized user access to information systems, as well as controlling processes acting on behalf of authorized users or devices
• Limiting information system access to only authorized transactions and functions
• The verification and control and/or limiting of connections to, and use of, external information systems
• Control of information posted or processed on publicly accessible information systems
Identification and authentication:
• The identification of users, processes, and devices attempting to access information systems
• The verification that users, processes, and devices are authorized to access information systems.
Media protection:
• The sanitization or destruction of media containing FCI before its disposal or reuse
Physical protection:
• Limiting physical access to systems, equipment, operating environments to authorized individuals
• The escorting of visitors and monitoring of visitor activity
System and communications protection:
• The maintaining of audit logs for all physical access
• The control and management of physical access devices
System and information integrity:
• The monitoring, control, and protection of information systems communications at external boundaries and key internal boundaries
• The implementation of subnetworks for publicly accessible system components that are physically or logically separated from internal networks
• Identifying, reporting, and correcting information and information system flaws in a timely manner
• Providing protection from malicious code at appropriate locations within organizational information systems
• Updating malicious code protection mechanisms when new releases are available
• Performing periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed
Level 1 certification can be achieved annually through a self-assessment.
CMMC 2.0 Level 2
Level 2 is all about the protection of CUI and includes all security requirements specified in NIST SP 800-171, plus some additional methods to mitigate threats. It “provides increased assurance to the DoD that a contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow with its subcontractors in a multi-tier supply chain.”
It largely parallels the requirements found in Level 3 of CMMC 1.0, marking a major jump in requirements. However, Level 2 in CMMC 2.0 reduces the controls from 130 down to 110. These 20 removed controls, known as the “Delta 20” controls, are considered unique to CMMC and no longer required.
The 110 controls that constitute Level 2 fall into the following 14 categories:
• Access control
• Awareness and training
• Audit and accountability
• Configuration management
• Identification and authentication
• Incident response
• Maintenance
• Media protection
• Personnel security
• Physical protection
• Risk assessment
• Security assessment
• System and communications protection
• System and information integrity
Level 2 requires you to establish, maintain, and resource a plan that demonstrates the management of activities for practice implementation. Your plan may include information on missions, goals, project plans, resourcing, required training, and involvement of key stakeholders.
You should expect to need at least a Level 2 CMMC certification in the future if you store, process, or transmit CUI or hold export-controlled data — defined as “information or material that cannot be released to foreign nationals or representatives of a foreign entity, without first obtaining approval or license from the Department of State for items controlled by the International Traffic in Arms Regulations (ITAR).”
Please note: ITAR only applies in very specific circumstances. If you’re not exporting material, munitions, or data you very likely do not have any ITAR requirements.
CMMC 2.0 Level 3
Level 3 is currently undefined, but it is likely (per the Federal Registry) to resemble CMMC 1.0 Level 5. The DoD claims it “will contain a subset of the security requirements specified in NIST SP 800-172.”
It is expected that Level 3 will require organizations to standardize and optimize process implementation across the organization. At the same time, its practices will likely center on protecting CUI from advanced persistent threats (APTs), increasing the depth and sophistication of an organization’s cybersecurity capabilities.
Unsurprisingly, the three levels that comprise CMMC 2.0 are cumulative, meaning certification for Level 3 will require previous certifications for Level 1 and Level 2.
How Can You Achieve CMMC Certification?
Depending on the vendor’s contract with the DoD, and the kind of information the vendor is securing, parts of the CMMC are able to be completed through self- assessment.
Level 1 can be completed through self-assessment, and there is a subset of Level 2 that can also be completed via self-assessment. However, that is only available if the information, “does not involve information critical to national security,” according to the CMMC website. Level 3 must be assessed by government officials.
While the CMMC website provides both scoping guidance and assessment guides, achieving CMMC certification takes time. Plan for at least six months if you’re starting from scratch. From drafting policies and deploying solutions to establishing essential cultural changes within your organization, your efforts will add up, but will take a large amount of time and effort.
While Level 1 includes standard, table-stakes cybersecurity controls anyone contracting with the DoD should already be using, Level 2 raises the bar significantly. As you begin the process of achieving Level 2 certification, a great place to start is by tackling five key steps.
5 Steps to Help You Achieve CMMC 2.0 Level 2 Certification
1. Ensure your organization NIST 800-171 compliant
According to NIST SP 800-171 (which aligns with CMMC 2.0 Level 2), contractors should routinely assess their organizational systems’ security controls to determine their effectiveness. So, in preparation for CMMC, assess your current organization for NIST SP 800-171 compliance.
2. Create and maintain an updated system security plan (SSP)
NIST SP 800-171 also requires contractors to document and update SSPs, including company policies, network diagrams, and relationships with other systems. If you don’t already have an SSP, create one. If you do have one, make sure it’s up to date.
3. Create a plan of action and milestones (POA&M)
Your POA&M documents the remediation project plan and helps establish timelines and anticipated resource requirements.
4. Implement a remediation plan
Completing the POA&M will go a long way toward ensuring compliance with NIST SP 800-171 and your existing contracts, while also preparing for full CMMC 2.0 certification.
5. Develop a plan to maintain compliance
Once you’ve achieved compliance, you’ll need to create a plan to retain it. While often overlooked, maintaining compliance with the DoD’s rigorous security standards may prove challenging and will require a documented strategy and near-daily execution.
As with any comprehensive security program, meeting the requirements of CMMC 2.0 demands an integrated approach entailing several different solutions. Everything from compliance platforms, encrypted assets, and data backups to monitoring and management solutions must seamlessly work together to eliminate vulnerabilities and ensure CMMC certification.
How Can You Get Help With CMMC 2.0 Certification?
Don’t make the decision to keep your CMMC program in-house lightly. If you don’t pass the third-party CMMC 2.0 audit on the first try, you’ll need to correct any security shortcomings and contend with a potential backlog of audits before getting a second opportunity. Lengthy delays could be extremely costly if you rely on DoD contracts for a significant percentage of your revenue.
If you don’t have the resources or internal expertise to take on the requirements of CMMC, engaging with a third-party solution provider can be an excellent idea. Managed security operations like those provided by Arctic Wolf® can help you quickly come into alignment with many of the controls required by CMMC 2.0, while helping guide you through the process and aiding you in the creation and implementation of an appropriate security plan.
Independent assessor Coalfire found that the Arctic Wolf® Platform, which includes Arctic Wolf ® Managed Detection and Response, Arctic Wolf® Managed Risk, and Managed Security Awareness® can supply strong support for up to 76 of the 110 CMMC 2.0 Level 2 requirements.
Learn more about what Coalfire had to say in their white paper, Arctic Wolf Networks, Inc. Security Operations Cloud for CMMC 2.0.
Explore the topic in more depth with our on-demand webinar, Cybersecurity Compliance Deep Dive: CMMC.
See how the Arctic Wolf Platform helped one organization achieve CMMC certification in our case study, Arctic Wolf® Allows Enovate to Exceed Security Requirements While Gaining Visibility.
