Key takeaways that DoD contractors need to understand about the change to CMMC 2.0.
The Department of Defense (DoD) announced the new Cybersecurity Maturity Model Certification, CMMC 2.0, in November 2021. The change came after it was determined that the original CMMC 1.0 model was too cumbersome and confusing for contractors. The intent, however, remains the same: to ensure that the Defense Industrial Base (DIB) contractors have the appropriate measures and procedures to protect sensitive information, including controlled unclassified information (CUI) and federal contract information (FCI).
What’s important to understand is that CMMC 2.0 is actually nothing new. The requirements are based on The National Institute of Standards and Technology (NIST) SP 800-171 and directly aligned with the Defense Federal Acquisition Regulation Supplement (DFARS), which has been required for some time now.
What matters is how strictly you are implementing these best practices for IT security, as the new regulations will be firmly enforced in 2023. To be successful, contractors must change their approach to compliance or risk losing out on lucrative contracts or incurring hefty fines.
Charles IT’s founder and CEO, Foster Charles, has helped numerous companies chart a successful course to CMMC compliance. Here he shares his insights and industry knowledge about how DIB contractors can adapt to the changes to enhance their cybersecurity hygiene and align with industry standards. First, let’s review some basic information about the changes.
High-Level Changes in CMMC 2.0
CMMC 1.0 aimed to aggregate various security requirements into a single compliance standard for the federal government. While the intention was good, the rules were very complicated. CMMC 2.0 is a simplification of CMMC 1.0 — making it much easier for DIB contractors to achieve compliance in order to improve federal defense security.
Level one requires a self-assessment of 17 best practices similar to NIST's cybersecurity framework (CSF). Level two aligns with NIST SP 800-171 and requires certification from a CMMC Third Party Assessment Organization (C3PAO). Lastly, DIB contractors that handle top-secret information must achieve level three compliance based on NIST 800-172.
CMMC 2.0 removes requirements not included in NIST SP 800-171 to make achieving and enforcing compliance more practical. It also covers DIB subcontractors to ensure security across the entire supply chain as more malicious actors target smaller companies that contract with industry giants (e.g., Lockheed Martin). "Hackers may get just one piece of CUI from one supplier. But if they stack a bunch of them together, they can get a rather complete picture — this is how secrets are leaked. CMMC 2.0 is about securing state secrets," Charles says.
Cyber warfare is the latest concern, and for good reasons. For example, threat actors can launch a cyberattack on infrastructure (e.g., the Colonial Pipeline attack), then take advantage of the extended downtime to launch a more devastating physical attack — which could grind the entire nation to a halt.
What's the key takeaway of these changes, and what do you need to know when updating your processes?
A key objective of CMMC 2.0 is to bring clarity and remove complexity. For instance, it requires a third-party certification every three years (instead of an annual assessment) for levels two and three compliance.
Moreover, the procedures are easier to understand, so your focus can be on getting your security posture up to date.
How CMMC 2.0 Benefits DIB Contractors
CMMC 2.0 enables better protection of CUI to prevent data leaks and espionage. It strengthens national security and helps protect against supply chain or state-sponsored attacks. However, understand that it also benefits DIB contractors in their operations: "The manufacturing industry is very far behind in IT and security. Companies still run many processes manually, which is very insecure. Their poor IT security hygiene often leads to costly ransomware and other attacks. CMMC 2.0 forces these contractors to establish good business habits that are ultimately good for their organizations," Charles says.
The thought of yet another regulation may be intimidating. The good news is that half of CMMC 2.0 is already in NIST SP 800-171 — detailing cybersecurity practices that DIB contractors should already be following, e.g., using antivirus software, implementing multi-factor authentication (MFA), and mapping and labeling all CUI.
Critically, companies can't even get cybersecurity insurance coverage without implementing many of the measures outlined in CMMC 2.0. “Nine out of 13 insurance carriers we track will not write a policy unless you have MFA. Same with CMMC 2.0 — and a Plan of Action and Milestones (POA&M) won't be accepted if you don't have the basics such as MFA, antivirus, and security awareness training," Charles says.
CMMC 2.0 is a necessary step forward for the entire defense industry to get up to speed from the technology perspective.
Why Changing Your Approach Is Key
As mentioned, the most common misconception about CMMC 2.0 is that it's a new compliance standard when, in fact, it’s not.
The other crucial misconception is that many contractors assume they can wait until the CMMC 2.0 ruling is approved before taking action. Many contractors underestimate how much time it will take to evaluate their security posture, implement remediation actions, and get their third-party assessment. Some also misjudge how technically behind their systems and processes are and the investment required to achieve compliance. It’s also essential to remember that meeting these standards requires coordination with vendors, which may take time to complete. "Many contractors overlook the complexity of their supply chains and the number of third-party vendors they use. For example, you may discover that a few suppliers still use Windows 7 and refuse to upgrade. So you could find yourself in a pickle if your vendors aren't compliant, and you have to wait for them to upgrade their technology,” Charles says.
There are also issues with cloud compliance, Charles points out. Many contractors also don't realize that they can't process CUI on any cloud — your platform must sit on a Fedramp medium or Fedramp high cloud. For example, instead of Office 365, you must use Microsoft 365 Government Community Cloud High (GCC High).
How to Prepare for CMMC 2.0
Start preparing as soon as you can if you haven't already and expect the process to take a year or two. CMMC 2.0 will likely go into effect in 2023, and as soon as it does, it will appear on all contracts within 60 days. You can't afford to wait ‘till the last minute.
In other words, contractors will benefit from a sense of urgency. "Achieving compliance in one go can be a major shock to an organization and its day-to-day business processes. I recommend conducting an assessment and designing a multi-year roadmap,” Charles says. This plan should answer questions such as: What machines/hardware do you need to replace? Which third-party vendors require upgrades? Do they have plans to do so in the next three years?"
Submitting a system security plan (SSP) is essential to CMMC 2.0 compliance. The SSP is also an essential document that a managed service provider (MSP) can use to assist your company with compliance. The scoresheet outlines CMMC's security requirements and helps you gain an overview of the upgrades you need. “The first thing I usually ask is, ‘do you know your SSP score?’,” Charles says. Other companies may not be as far along. In that case, Charles IT can conduct a gap or risk assessment for our clients as a first step to writing an SSP and a plan of action and milestones (POA&M). “We call it a gap assessment. We need to know how deep the water is, and then we'll pinpoint it and help them write an SSP,” Charles advises.
If you have a relatively mature security posture and follow the latest cybersecurity best practices, achieving CMMC 2.0 compliance should take around six to nine months. If not, you could be looking at an 18-month timeline. Again, don't wait until a contract is on the table — get started now to avoid losing businesses. If your company would like more information on how to get started, we’d love to chat. Plan today to be ready for tomorrow.