Navigating the Road to CMMC Level 2 Compliance: Insights and Tips From an Expert

Navigating the Road to CMMC Level 2 Compliance: Insights and Tips From an Expert

On November 4, 2021, the U.S. Department of Defense (DoD) unveiled the updated version of its Cybersecurity Maturity Model Certification (CMMC) 2.0. This new version incorporates a tiered system of CMMC certification levels that is designed to assist suppliers in the Defense Industrial Base (DIB) in evaluating and enhancing their cybersecurity posture. It aims to ensure that all DoD contractors are utilizing suitable cybersecurity measures and protocols to safeguard controlled unclassified information (CUI) and federal contract information (FCI).

CMMC Level 2 is a crucial milestone for defense contractors to achieve. It focuses on intermediate cyber hygiene, serving as a logical progression for organizations to step up from Level 1. In addition to safeguarding federal contract information (FCI), Level 2 also includes protections for controlled unclassified information (CUI). The additional sets of practices included in Level 2 help position organizations to better defend against more severe cyber threats than those covered at Level 1. While Level 1 is self-attestation only, Level 2 requires self-attestation and certification by a certified third party.

In a recent Kitecast episode, Michael Redman, a Senior Associate with Schellman and CMMC trainer and expert, maps out a successful roadmap to CMMC Level 2 compliance that DoD contractors and subcontractors can leverage and reveals insights and tips that can accelerate the certification process.

Is the Defense Industrial Base Taking CMMC Level 2 Compliance Seriously?

The question of how serious the Defense Industrial Base (DIB) is taking the CMMC Level 2 compliance regulation is multifaceted. The answer to the question is largely dependent on the type of the participant and their respective level of engagement. Redman reveals that while most DIB participants are taking CMMC 2.0 very seriously, some are lagging in building a roadmap to certification. This creates potential risks in the DoD supply chain.

Redman notes that large, mid-sized, and small companies that serve as contractors or subcontractors for the DoD alike are taking the necessary steps to become CMMC compliant. Many even started before it CMMC was officially codified into law. Level 1 requires self-attestation only, while Level 2 requires self-attestation plus certification by an approved third party. 

For Level 2 CMMC certification, DoD supply chain participants are approaching the regulation with varied levels of engagement. Some are waiting to see “where the wind blows,” while others are taking their lead from the DoD’s Office of the CIO and the Justice Department, which are actively promoting CMMC.

Sadly, some participants remain in the dark on the importance of CMMC compliance. These participants require the most education, as they have been inundated with a smorgasbord of different opinions and advice, leaving them confused and unmotivated. For those in the DIB feeling overwhelmed, it is important to remember that CMMC is here to stay and it will become codified into law. As such, it is essential to find the right consultants and C3PAOs that can help to guide them in the right direction.

CMMC is a long-term investment that provides numerous benefits to the DIB. From increased ROI to higher security standards and better assessment capabilities, the potential gains are immense. The challenge is to encourage participants to understand the importance of the program and to take the necessary steps, regardless of the size and type of their business, to ensure compliance.

The Challenge of CMMC Self-assessment

The DoD requires the implementation of CMMC for its suppliers. Level 1 and Level 2 compliance require DoD suppliers to self-assess the maturity of their cybersecurity practices based on the controls specified in each level. Level 2 additionally requires certification by a third party.

The challenge of CMMC self-assessment is twofold. First, there is a disconnect between the self-assessment of companies and the assessment done by the DoD. Although 71% of organizations believe they are compliant with the Level 2 practice requirements, the DoD in a study found only 29% of them are compliant. This means that organizations are not accurately measuring their own compliance and therefore unable to adequately prepare for their CMMC assessment.

The second challenge of CMMC self-assessment is the language of the standards. Many of the controls are written in a way that can be interpreted in different ways. With this fuzzy language, an organization’s CEO may think they are compliant based on their own definition of the word “implemented,” when it actually requires much more than that for compliance. This can lead to organizations feeling overconfident about their level of compliance, when in reality they are not compliant, leading to substandard assessments from the DoD.

It is essential for organizations to take the self-assessment process seriously and to understand the expectations of the DoD in order to be successful in their CMMC assessment. Organizations need to gain clarity on the definitions of the compliance requirements, and be prepared to demonstrate full compliance in order to pass the DoD assessment. It is only through a thorough understanding of the requirements, and accurate self-assessment, that companies will be able to bridge the disconnect between self-assessment and DoD assessment.

Understanding the Phased Implementation of CMMC 2.0

The DOD recently announced that they will be skipping the interim rule step in the implementation of new CMMC 2.0 and going straight to the final rule. This is a big deal, as this means that when the final rule is released in June, CMMC 2.0 will become a reality.

Though the ramp-up period is expected to take at least eight months, organizations that have not yet attained their CMMC certification will still be subject to compliance with 2.0. The DoD can and will conduct random audits to ensure that these organizations are in compliance with the necessary standards. It is important that companies understand that the federal government is not playing around with this, and organizations that are found to have not met the necessary requirements may face having their contracts shut down.

The Role of C3PAOs on the CMMC Certification Process

The CMMC has been designed to protect federal contract information (FCI) and controlled unclassified information (CUI) from cyberattacks. The introduction of the CMMC also resulted in the creation of CMMC Third Party Assessor Organizations (C3PAOs) overseen by the CMMC Accreditation Body (CMMC-AB).

C3PAOs are responsible for ensuring DoD contractors and subcontractors meet the requirements of the CMMC. C3PAOs are responsible for providing independent inspections, assessments, and recommendations, which enable the DoD to determine whether a supplier has the necessary security controls in place.

C3PAOs help the DoD to ensure that the contractor’s information system is secure and that the contractor is in compliance with the CMMC practice requirements. Further, C3PAOs provide guidance to the DoD on the implementation of the CMMC and verification that their cybersecurity practices adhere to National Institute of Standards and Technology (NIST) 800-171 standards—which are mirrored in CMMC Level 2.

How Kiteworks Can Accelerate CMMC Level 2 Compliance

The Kiteworks Private Content Network supports nearly 90% of CMMC 2.0 Level 2 requirements out of the box, more than any other sensitive content communications provider in the industry. One of the reasons for Kiteworks’ leadership position when it comes to CMMC is the fact that the Private Content Network is FedRAMP Authorized to Moderate Level Impact for consecutive years running. It also touts compliance with other industry standards such as FIPS 140-2, ISO 27001, 27017, 27018, SOC 2, and others.

And with a hardened virtual appliance enveloping the Kiteworks Private Content Network, file and email data communications for public and private sector organizations—both that sent internally and to third parties—is kept private and remains confidential.

To understand how Kiteworks can help your organization accelerate CMMC compliance, schedule a custom demo today.

Additional Resources