Set a Course for CMMC Level 2 Compliance: Insights and Tips From a CMMC Expert
On November 4, 2021, the U.S. Department of Defense (DoD) unveiled the updated version of its Cybersecurity Maturity Model Certification (CMMC) 2.0. This new version incorporates a tiered system of CMMC certification levels that is designed to assist suppliers in the Defense Industrial Base (DIB) in evaluating and enhancing their cybersecurity posture. It aims to ensure that all DoD contractors are utilizing suitable cybersecurity measures and protocols to safeguard controlled unclassified information (CUI) and federal contract information (FCI).
The CMMC certification process is arduous but our CMMC 2.0 compliance roadmap can help.
CMMC Level 2 is a crucial milestone for defense contractors to achieve. It focuses on intermediate cyber hygiene, serving as a logical progression for organizations to step up from Level 1. In addition to safeguarding protecting FCI and CUI, Level 2 compliance helps position organizations to better defend against more severe cyber threats than those covered at Level 1. While Level 1 is self-attestation only, Level 2 requires self-attestation and certification by a certified third assessor organization (C3PAOs).
CMMC 2.0 Level 2 Compliance Requirements
CMMC level 2 is an intermediate stage that requires businesses to implement a certain set of security controls to protect CUI. CMMC Level 2 compliance is assessed based on 110 practices across 14 domains that cover a broad spectrum of cybersecurity measures.
The first set of requirements falls under the Access Control domain. They dictate that organizations must establish system access requirements, control internal system access, limit data access to authorized users, and prevent non-privileged users from executing functions that could potentially lead to security compromises.
Next comes Audit and Accountability, requiring businesses to define audit requirements, create and retain system audit logs, and regularly review and update audit logs. Additionally, there should also be processes to protect audit information and tools from unauthorized access, and to report and act on any shortcomings identified.
The Configuration Management domain requires an organization to establish and enforce security configuration settings for all networked information systems. This involves tracking, controlling and correctly managing changes to the system, preventing the use of unauthorized software, and limiting access to configuration change tools to authorized personnel only.
Identification and Authentication is another crucial domain. This requires organizations to identify information system users and processes acting on behalf of users and authenticate their identities before establishing a session – this could be through multi-factor authentication or enforcing encrypted session identifiers.
In the Incident Response domain, organizations need to establish an operational incident handling capability, track, document, and report incidents to appropriate organizations and thoroughly analyze incident response and escalation.
Maintenance and Media Protection are also important domains in CMMC Level 2 requirements. Regular system maintenance, timely flaw remediation, tools inspection, protection, and sanitation of digital media, controlling access to and marking media are all essential for compliance.
KEY TAKEAWAYS
- Understand CMMC 2.0 Level 2 Compliance:
CMMC 2.0 enhances cybersecurity measures while Level 2 emphasizes intermediate cyber hygiene and certification by a CЗРАО. - Key Requirements and Domains:
CMMC Level 2 compliance covers 72 practices across 17 domains, including access control, audit and accountability, configuration management, among others. - Preparation and Compliance Roadmap:
Achieving CMMC 2.0 Level 2 compliance requires a systematic approach, including understanding specific requirements, conducting gap analysis, and more. - Challenges and Education:
Challenges include a disconnect between self-assessment and DoD assessment and interpreting standards. Education is crucial for accurate self-assessment and successful DoD assessments. - Cost Considerations and Investment:
CMMC 2.0 Level 2 compliance preparation and implementation costs may seem daunting, but it’s an investment in data security and business sustainability.
Other domains like Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, System and Information Integrity, Recovery, Situational Awareness, Asset Management, Cybersecurity Governance, and Supply Chain Risk Management all have their specific requirements as well. These can range from conducting personnel screening, physically monitoring and controlling access points, conducting regular risk assessments, developing and implementing plans for recovery and continuity to managing supply chain risks.
Organizations are also expected to establish and maintain a plan that demonstrates the management of activities for practice implementation. The plan details the mission, goals, project plans, resourcing, training, and stakeholders to achieve Level 2 compliance.
In total, CMMC Level 2 requirements present a comprehensive set of cybersecurity practices. It maintains a balance between extensive security measures and practical feasibility for organizations, ensuring the effective protection of CUI without causing significant operational disruptions. Compliance to these standards, though may seem complex, ultimately leads to enhanced cybersecurity maturity, reducing vulnerabilities and potential risks.
Achieving CMMC 2.0 Level 2 Compliance
The path to achieving CMMC 2.0 Level 2 compliance begins with understanding the specific requirements of this certification level. It then moves to performing a gap analysis to identify weak areas in your current cybersecurity practices that need improvement. Next, remediation actions should be taken to address these weaknesses and enhance your cybersecurity posture. Ideally, it would be best to work with experienced cybersecurity professionals who can guide your organization through the process.
Preparing for CMMC 2.0 Level 2 Compliance
Preparation is key when aiming for CMMC 2.0 Level 2 compliance. This involves improving cybersecurity training for employees, reinforcing cybersecurity policies, and establishing a proactive cyber threat detection and response system. Moreover, it’s crucial to document all processes and practices as proof of compliance.
In a recent Kitecast episode, Michael Redman, a Senior Associate with Schellman and CMMC trainer and expert, maps out a successful roadmap to CMMC Level 2 compliance that DoD contractors and subcontractors can leverage and reveals insights and tips that can accelerate the certification process.
Is the Defense Industrial Base Taking CMMC Level 2 Compliance Seriously?
The question of how serious the Defense Industrial Base is taking CMMC Level 2 compliance is multifaceted. The answer to the question is largely dependent on the type of the participant and their respective level of engagement. Redman reveals that while most DIB participants are taking CMMC 2.0 very seriously, some are lagging in building a roadmap to certification. This creates potential risks in the DoD supply chain.
Redman notes that large, mid-sized, and small companies that serve as contractors or subcontractors for the DoD alike are taking the necessary steps to become CMMC compliant. Many even started before it CMMC was officially codified into law. Level 1 requires self-attestation only, while Level 2 requires self-attestation plus certification by an approved third party.
For Level 2 CMMC certification, DoD supply chain participants are approaching the regulation with varied levels of engagement. Some are waiting to see “where the wind blows,” while others are taking their lead from the DoD’s Office of the CIO and the Justice Department, which are actively promoting CMMC.
Sadly, some participants remain in the dark on the importance of CMMC compliance. These participants require the most education, as they have been inundated with different and often contrasting opinions and advice, leaving them confused and unmotivated. For those in the DIB feeling overwhelmed, it is important to remember that CMMC is here to stay and it will become codified into law. As such, it is essential to find the right consultants and C3PAOs that can help to guide them in the right direction.
CMMC is a long-term investment that provides numerous benefits to the DIB. From increased ROI to higher security standards and better assessment capabilities, the potential gains are immense. The challenge is to encourage participants to understand the importance of the program and to take the necessary steps, regardless of the size and type of their business, to ensure compliance.
The Challenge of CMMC Self-assessment
The DoD requires the implementation of CMMC for its suppliers. Level 1 and Level 2 compliance require DoD suppliers to self-assess the maturity of their cybersecurity practices based on the controls specified in each level. Level 2 additionally requires certification by a third party.
The challenge of CMMC self-assessment is twofold. First, there is a disconnect between the self-assessment of companies and the assessment done by the DoD. Although 71% of organizations believe they are compliant with the Level 2 practice requirements, the DoD in a study found only 29% of them are compliant. This means that organizations are not accurately measuring their own compliance and therefore unable to adequately prepare for their CMMC assessment.
The second challenge of CMMC self-assessment is the language of the standards. Many of the controls are written in a way that can be interpreted in different ways. With this fuzzy language, an organization’s CEO may think they are compliant based on their own definition of the word “implemented,” when it actually requires much more than that for compliance. This can lead to organizations feeling overconfident about their level of compliance, when in reality they are not compliant, leading to substandard assessments from the DoD.
It is essential for organizations to take the self-assessment process seriously and to understand the expectations of the DoD in order to be successful in their CMMC assessment. Organizations need to gain clarity on the definitions of the compliance requirements, and be prepared to demonstrate full compliance in order to pass the DoD assessment. It is only through a thorough understanding of the requirements, and accurate self-assessment, that companies will be able to bridge the disconnect between self-assessment and DoD assessment.
Understanding the Phased Implementation of CMMC 2.0
The DOD recently announced that they will be skipping the interim rule step in the implementation of new CMMC 2.0 and going straight to the final rule. This is a big deal, as this means that when the final rule is released in June, CMMC 2.0 will become a reality.
Though the ramp-up period is expected to take at least eight months, organizations that have not yet attained their CMMC certification will still be subject to compliance with 2.0. The DoD can and will conduct random audits to ensure that these organizations are in compliance with the necessary standards. It is important that companies understand that the federal government is not playing around with this, and organizations that are found to have not met the necessary requirements may face having their contracts shut down.
The Role of C3PAOs on the CMMC Certification Process
The CMMC has been designed to protect FCI and CUI from cyberattacks. The introduction of the CMMC also resulted in the creation of CMMC Third Party Assessor Organizations (C3PAOs) overseen by the CMMC Accreditation Body (CMMC-AB).
C3PAOs are responsible for ensuring DoD contractors and subcontractors meet the requirements of the CMMC. C3PAOs are responsible for providing independent inspections, assessments, and recommendations, which enable the DoD to determine whether a supplier has the necessary security controls in place.
C3PAOs help the DoD to ensure that the contractor’s information system is secure and that the contractor is in compliance with the CMMC practice requirements. Further, C3PAOs provide guidance to the DoD on the implementation of the CMMC and verification that their cybersecurity practices adhere to National Institute of Standards and Technology (NIST) 800-171 standards—which are mirrored in CMMC Level 2.
Consider the Cost of CMMC 2.0 Level 2 Compliance
The cost of obtaining CMMC 2.0 Level 2 compliance can often appear daunting, especially for small to medium-sized businesses. However, this investment should not be viewed as an unnecessary expense, but rather a crucial step towards ensuring your organization’s data security. It’s important to remember that the cost will vary significantly depending on several factors, including the size of your organization, the complexity of your information systems, and the current state of your cybersecurity infrastructure.
The first major cost component of CMMC 2.0 Level 2 compliance relates to preparation. Initially, organizations might need to spend on cybersecurity assessments to identify current vulnerabilities and gaps in their systems. This process, however, helps to provide a clear roadmap for necessary improvements.
The second substantial cost involves implementing the required security controls and solutions. This includes the purchase, installation, and maintenance of necessary hardware and software. It may also demand onboarding of cybersecurity personnel or outsourcing services from cybersecurity firms.
Lastly, the third considerable cost is the certification process itself, which involves hiring a Certified 3rd Party Assessment Organization (C3PAO) to audit and confirm your compliance.
Again, the cost of compliance with CMMC 2.0 Level 2 can differ greatly from one organization to another based on their specific circumstances. Therefore, it’s advisable to conduct a thorough cost-benefit analysis before embarking on this journey of compliance. Nonetheless, the cost is justified considering the potential adverse impacts of non-compliance, which may include significant penalties or loss of business opportunities due to decreased trust from customers and partners.
In total, though achieving CMMC 2.0 Level 2 compliance presents its financial challenges, it is an essential investment in the future cybersecurity health of your organization. By safeguarding your systems and data from potential threats, you are, in turn, protecting your company’s reputation and sustaining its growth in the long run.
Kiteworks Accelerates CMMC 2.0 Level 2 Compliance
The Kiteworks Private Content Network supports nearly 90% of CMMC 2.0 Level 2 requirements out of the box, more than any other sensitive content communications provider in the industry. One of the reasons for Kiteworks’ leadership position when it comes to CMMC is the fact that the Private Content Network is FedRAMP Authorized to Moderate Level Impact for consecutive years running. It also touts compliance with other industry standards such as FIPS 140-2, ISO 27001, 27017, 27018, SOC 2, and others.
And with a hardened virtual appliance enveloping the Kiteworks Private Content Network, file and email data communications for public and private sector organizations—both that sent internally and to third parties—is kept private and remains confidential.
To understand how Kiteworks can help your organization accelerate CMMC compliance, schedule a custom demo today.
Additional Resources
- Guide A Detailed CMMC 2.0 Guide for DoD Contractors and Subcontractors
- Article What Is Cybersecurity Maturity Model Certification?
- Blog Post What Is CMMC Security Compliance?
- Video What Kiteworks CISO Frank Balonis Thinks About CMMC 2.0
- Webinar What Optiv and Kiteworks Recommend for DoD Contractors and Subcontractors for CMMC 2.0