CMMC & CMMC 2.0: Cybersecurity Maturity Model Certification

While CMMC is still evolving, you will want to ensure your business is up to date on what a CMMC certification is and how its updates affect you.

What is CMMC? Cybersecurity Maturity Model Certification is a standard that requires Department of Defense contractors to meet certain levels of cybersecurity in order to protect the department’s sensitive data.

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for safeguarding Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). It is a framework used to assess an organization’s cybersecurity practices and allows the Department of Defense (DoD) to certify that these practices meet the requirements set forth in the NIST SP 800-171. The certification is required for all organizations working with the DoD, as CMMC is designed to protect CUI from cyber threats and ensure that contractors follow the same cybersecurity policies and procedures.

What Is the CMMC Framework?

The Cybersecurity Maturity Model Certification (CMMC) is a streamlined and centralized cybersecurity framework created by the U.S. Department of Defense to support contractors in defense supply chain compliance and security efforts.

Based on the types of data they manage—which is determined in part by the agency they work with—defense contractors have to have certain kinds of IT security and privacy controls in place, and if relevant, certain clearance levels. However, some types of data don’t require special security clearance but still serve an essential purpose for the DoD and associated agencies. Examples of these types of data include the following:

• Federal Contract Information (FCI): This information is created as part of the working relationship between contract vendors  and defense industries. While it isn’t protected by security clearance, it is still considered an important part of defense operations.
• Controlled Unclassified Information (CUI): Defense agencies use or create this information as part of their operations. While it also isn’t classified, it is a critical part of defense operations (more so than FCI) and is deemed subject to cybersecurity controls.

Announced and published in 2019, CMMC version 1.0 exists specifically to certify defense contractors to handle either FCI or CUI. Before these changes, all defense contractors were required to self-certify under the guidelines of NIST Special Publication 800-171.

Furthermore, CMMC serves as a critical bridge between the previous model of self-attestations to a new one requiring third-party audits. Rulemaking began in 2019 and continued into 2020, and the interim rule Defense Federal Acquisition Regulation Supplement (DFARS) 2019-D041 was implemented to start including requirements in all defense requests for proposals.

In November 2021, the DoD announced a new revision of CMMC, version 2.0. While CMMC 2.0 is expected to take effect within the next year or two, CMMC 1.0 is still the core regulation that organizations must follow for compliance.

What is the scope of the CMMC framework?

The scope of the CMMC framework covers the security of all Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) stored or handled by a covered contractor’s (organization’s) environment and applies to all activities conducted by the organization. The process and procedures address the security of all areas of the contractor’s organization that process, store, or transmit FCI and CUI, including their networks, systems, personnel, and other assets.

CMMI and defense contractors

The Capability Maturity Model Integration (CMMI) is a process improvement approach that provides organizations with the essential elements for effective process improvement. CMMI helps organizations to improve process performance and integrate organizational processes. It is used across a variety of industries, including aerospace, defense, software engineering, finance, government, and healthcare. CMMI is a framework that defines process improvement stages and assesses the maturity of organizations in six key areas of process implementation: performance, project management, services, support, process integration, and organizational process focus.

The Cybersecurity Maturity Model Certification (CMMC) is a certification created by the U.S. Department of Defense (DoD) to better protect unclassified data that is either processed on or stored on DoD contractor and subcontractor networks. CMMC certification is required for DoD contracts, and it is intended to provide an additional layer of security for sensitive data and information systems. CMMC is designed to address the need for additional security controls for DoD contractors and suppliers handling Controlled Unclassified Information (CUI).

The main difference between the CMMI and CMMC is the purpose of each certification. CMMI is a process improvement approach that is used to improve organizational processes and performance, while CMMC is a security certification intended to protect unclassified data stored on DoD contractor and subcontractor networks. CMMI is a process improvement approach and CMMC is a security certification.

Defense contractors should adhere to both CMMI and CMMC in order to increase the security of their systems and ensure they are compliant with all relevant DoD regulations. CMMI will help contractors better manage and improve their processes, while CMMC will protect their networks and unclassified data. Additionally, CMMC also provides a basis for determining whether a defense contractor is meeting their contractual obligations. By adhering to both CMMI and CMMC, defense contractors can protect their networks, data, and systems and protect their reputation.

What Are CMMC Version 1.0 Maturity Levels?

One of the more significant changes from the previous regulations was the measurement of cybersecurity "maturity" through differing levels. Contractors seeking certification would work toward one of its levels. The required maturity level is stated in any defense request for proposal and is dictated by the types of data managed by the vendor and the demands of their client agency.

Under version 1.0, maturity is defined by both "processes" (the overarching capabilities of the organization) and "practices" (a measure of cyber hygiene based on the number of controls implemented from NIST 800-171).

The five maturity levels of CMMC 1.0 are as follows:

• Level 1: At Level 1, vendors are expected to have "basic" cyber hygiene (17 total controls) and the ability to implement them as needed. Level 1 is the minimum requirement for a contractor to handle FCI.
• Level 2: At Level 2, vendors should have "intermediate" cyber hygiene (48 controls) and the ability to document the implementation of those controls to support repeated implementation over time.
• Level 3: Level 3 expects vendors to have "good" cyber hygiene (110 controls) and the capacity to manage their overall security system (including creating mission and goal statements, resourcing, training, and communicating with relevant stakeholders). Level 3 is the minimum requirement for a contractor to handle CUI.
• Level 4: Contractors are expected to take advanced cybersecurity postures. This means having "proactive" cyber hygiene (156 controls) geared toward addressing some of the most advanced hacking tactics. Additionally, these organizations should be able to review their security infrastructure, collect data, create metrics, and measure effectiveness.
• Level 5: The highest standing, Level 5 calls for "advanced proactive" hygiene geared toward detecting and mitigating advanced persistent threats (171 controls). Finally, organizations at this level are expected to be able to take everything they’ve implemented, standardize it, optimize it, and demonstrate the ability to do so regularly.

What Is a Certified Third Party Assessor Organization?

The other major update from CMMC 1.0 is the requirement of a third-party assessment through a Certified Third Party Assessor Organization.

C3PAOs are critical security firms in defense cybersecurity that have received accreditation from the CMMC Accreditation Body (CMMC-AB) to provide audits of defense contractors. Any organization familiar with other security frameworks like FedRAMP  will immediately recognize this process. CMMC borrows some of its auditing process from the same documents, namely NIST 800-53 and FIPS 140-2.

One of the drawbacks to working with a C3PAO is that they cannot also serve as a consultant with your organization. That’s why there is a secondary designation under regulations—the Registered Provider Organization. An RPO can provide consulting, recommendations, and advice to clients who are preparing for their compliance journey. The same security firm can never serve as both an RPO and a C3PAO for a single organization.

What Is CMMC 2.0?

In November of 2021, the DoD revised requirements based on feedback from partner organizations and firms undergoing the C3PAO certification process. Their goal with this revision was to streamline the framework to make it less costly and time-consuming for all stakeholders without sacrificing effectiveness.

The proposed changes under version 2.0 include the following:

• Reducing Maturity Levels From Five to Three: Under 2.0, the new model will only include three maturity levels. Level 1 will still be the minimum to handle FCI and require 17 practices from NIST 800-171. Level 2 will be the minimum level for managing CUI and represents a merger of the original second and third levels with a required 110 total practices. Finally, Level 3 will include 110+ required practices (determined by the needs of the client agency).
• Only Limited Requirements for C3PAOs: Rather than require a C3PAO for all contractors, version 2.0 only requires a triannual third-party audit for certification at Levels 2 and 3. Contractors seeking Level 1 certification (and a limited number of those seeking specific Level 2 certifications) can opt for annual self-attestation.
• Plan of Action and Milestones: Some other frameworks included the option for audited contractors to submit a POA&M at the end of their audits. Suppose their auditor determined that the contract was not fully compliant but could be compliant in a reasonable time frame with relatively simple changes. In that case, they could authorize the contractor with a completed and binding POA&M. CMMC 1.0 did not allow this approach—the contractor had to be fully compliant to receive certification. Under version 2.0, the DoD will allow for POA&Ms under certain conditions.

The CMMC 2.0 model is currently just a publication and undergoing review and rulemaking processes. It is expected to finish that process in 9–24 months. In the meantime, the CMMC-AB still honors and operates under version 1.0 audits and certifications.

CMMC 1.0 & CMMC 2.0—What’s Changed?

CMMC (Cybersecurity Maturity Model Certification) 1.0 was released in January 2020 as a response to the increasing sophistication and frequency of cyber threats. The framework provided a simple five-level certification model that outlined the minimum security requirements organizations needed to meet in order to comply with U.S. Department of Defense (DoD) regulations.

CMMC 2.0 was released in October 2020 and built off the original framework. It is designed to guide and assess the maturity of an organization’s cybersecurity program. It still consists of five levels, but now includes more rigorous controls and procedures meant to ensure organizations are taking an adaptive approach to protecting their data.

Significant changes between CMMC 1.0 and CMMC 2.0 include:

• Introducing more granular levels (Levels 1-5) of performance that organizations must meet instead of the broad categories of basic, medium, and high required by CMMC 1.0.
• A focus on proactive approaches to cybersecurity that emphasize adaptability and continuous improvement instead of static compliance.
• Applying the same security requirements for contractors and subcontractors, ensuring more consistent standards across the DoD supply chain.
• Introducing more specific steps that organizations must take in order to fully meet the security requirements outlined in the CMMC model. This includes elements such as monitoring, making organizational changes, and developing policies and procedures.
• Incorporating more detailed descriptions for each control as well as expectations for how organizations can meet them.

These descriptions are designed to offer guidance on implementing the security controls and what is required for compliance.

How to Approach CMMC Certification

There are, however, a few best practices to help the certification process:

• Use the Marketplace: The CMMC-AB website includes a marketplace for both RPOs and C3PAOs (even those currently undergoing their own certification). Always select potential partners from this site, a real, authenticated, and legitimate source for reputable security firms in this market.
• Work With Compliant Technology: More likely than not, businesses work with some cloud provider, managed service provider, or file management vendor as part of their operations. Maintaining compliance requires that companies vet their vendors and only work with those who have or can support certified technology.
• Work With an RPO: Don’t make things harder than they need to be. While a C3PAO can help with your audit, an RPO can help prepare for that audit in ways a C3PAO can’t. Look into RPO and CMMC advisory services as you start with compliance efforts.
• Get Ready for Version 2.0: If you are already working through CMMC now, then you will receive certification under regulations and be grandfathered into CMMC 2.0. The DoD is already preparing for that transition, but in the meantime it is best to know now what your obligations will be under a new framework.

CMMC Certification to Support the Defense of the Nation

Certification isn’t just another hoop—it is a critical part of your work as a contractor in the defense industrial base supply chain. Your technology, practices, people, and operation must be aligned with this important security model. However, the rewards for compliance also contribute to your business with better security, better resources, and a more mature cybersecurity posture overall.

To learn more about Kiteworks, compliance, and the CMMC framework, read our whitepaper on CMMC Compliance. Or, to learn more about how the Kiteworks platform supports your business goals, contact the team to set up a tailored demo.

Back to Risk & Compliance Glossary