On November 4, 2021, the Department of Defense (DoD) announced a massive overhaul of the Cybersecurity Maturity Model Certification (CMMC 1.0) program. The new framework, dubbed CMMC 2.0, is still being finalized and not yet publicly available, raising a lot of questions for many Defense Industrial Base (DIB) contractors and subcontractors about how they’ll need to adjust.
To offer some guidance in the meantime, here’s what we currently know about CMMC 2.0 and some important security services that organizations should keep implementing to protect their data and infrastructure.
Key changes to the CMMC program
While CMMC 2.0 will replace CMMC 1.0, the new framework’s overarching goal remains the same: protect federal contract information (FCI) and controlled unclassified information (CUI). To simplify and streamline the assessment process, CMMC 2.0:
- Reduces the number of certification levels from five to three
- Removes maturity processes and CMMC-unique practices
- Aligns Levels 2 and 3 requirements with National Institute of Standards and Technology Special Publication (NIST SP) 800-171 and 800-172 controls
- Allows the use of time-limited plans of action and milestones (POAMs) and waivers
This article goes in depth about the significant changes to the CMMC program, as well as how these updates will affect DIB contractors.
Complying with CMMC 2.0
Currently, no information regarding the specific practices or controls necessary at each level of CMMC 2.0 has been released. However, the alignment of the new levels to other federal requirements and commonly accepted standards gives organizations a general idea of the types of security services necessary to comply with the updated CMMC framework.
Foundational/Level 1
Contractors that handle FCI but not CUI fall under this level. They are expected to implement FAR 17, or the Federal Acquisition Regulation’s 17 most basic cybersecurity practices, which focus on safeguards such as physical protection and access control. Although this is the lowest compliance level, implementing these controls is not a simple task, and organizations should remain diligent when doing so.
Advanced/Level 2
Meanwhile, contractors that handle FCI and CUI — whether critical or less sensitive to national security — fall under this level. They are required to implement significantly more controls than in Level 1, particularly the 110 cybersecurity safeguards laid out in NIST SP 800-171. These focus on areas like access control, identification and authentication, awareness and training, and more.
The good thing is that NIST SP 800-171 is the only standard for Level 2 compliance. This means that contractors no longer have to comply with the unique security practices introduced in CMMC 1.0. Note, however, that NIST has recently announced plans to update the standard, so the number of controls and practices that organizations need to implement could change.
Expert/Level 3
Large prime contractors and organizations that work on highly critical national security programs fall under this level. They handle CUI that can potentially impact national security, which is why they are subject to even more stringent controls than those in Level 2. In particular, the cybersecurity requirements under Level 3 are derived from NIST SP 800-172, which means Level 3 contractors must implement 35 advanced controls in addition to the 110 controls from NIST SP 800-171.
Related reading: Which CMMC 2.0 Level Is Right for Your Company? |
Given this information, DIB contractors should proactively implement NIST SP 800-171 controls to put them in a much better position when CMMC 2.0 becomes a contractual requirement. It will be prudent to focus on the following areas:
Cybersecurity education and awareness training – This is critical for all employees, regardless of level or role within the organization. All staff should be aware of the types of threats they may face, as well as how to identify and report suspicious activity. Cybersecurity awareness training should also cover topics like social engineering, spear phishing, and ransomware.
Access controls – These help restrict access to systems and data based on a user’s role, job function, and need-to-know restrictions. Access controls can be implemented in a number of ways, such as using multi factor authentication, firewalls, and access lists.
Authentication – This verifies the identity of individuals or devices before granting them access to systems or data. Common methods of authentication include usernames and passwords, biometrics, and tokens.
Encryption – This protects data from unauthorized access or tampering by encoding it into an unreadable format. It is critical to encrypt data both at rest (stored on devices) and in transit (between systems).
Physical security – This helps safeguard systems, data, and personnel from physical threats, such as theft, vandalism, or sabotage. Physical security measures may include locks on doors and cabinets, surveillance cameras, and guards.
Although the specific compliance requirements for CMMC 2.0 will likely change with the release of the final framework, proactively implementing these measures will enable DIB contractors to be more secure and better prepared for the updated standard.
If you have any questions or need assistance with CMMC compliance, our specialists at Charles IT are here to help. Contact us today!