While CMMC is still evolving, you will want to ensure your business is up to date on what a CMMC certification is and how its updates affect you.
What is CMMC? Cybersecurity Maturity Model Certification is a standard that requires Department of Defense contractors to meet certain levels of cybersecurity in order to protect the department’s sensitive data.
What Is the CMMC Framework?
The Cybersecurity Maturity Model Certification (CMMC) is a streamlined and centralized cybersecurity framework created by the U.S. Department of Defense to support contractors in defense supply chain compliance and security efforts.
Based on the types of data they manage—which is determined in part by the agency they work with—defense contractors have to have certain kinds of IT security and privacy controls in place, and if relevant, certain clearance levels. However, some types of data don’t require special security clearance but still serve an essential purpose for the DoD and associated agencies. Examples of these types of data include the following:
- Federal Contract Information (FCI): This information is created as part of the working relationship between contract vendors and defense industries. While it isn’t protected by security clearance, it is still considered an important part of defense operations.
- Controlled Unclassified Information (CUI): Defense agencies use or create this information as part of their operations. While it also isn’t classified, it is a critical part of defense operations (more so than FCI) and is deemed subject to cybersecurity controls.
Announced and published in 2019, CMMC version 1.0 exists specifically to certify defense contractors to handle either FCI or CUI. Before these changes, all defense contractors were required to self-certify under the guidelines of NIST Special Publication 800-171.
Furthermore, CMMC serves as a critical bridge between the previous model of self-attestations to a new one requiring third-party audits. Rulemaking began in 2019 and continued into 2020, and the interim rule Defense Federal Acquisition Regulation Supplement (DFARS) 2019-D041 was implemented to start including requirements in all defense requests for proposals.
In November 2021, the DoD announced a new revision of CMMC, version 2.0. While CMMC 2.0 is expected to take effect within the next year or two, CMMC 1.0 is still the core regulation that organizations must follow for compliance.
What Are CMMC Version 1.0 Maturity Levels?
One of the more significant changes from the previous regulations was the measurement of cybersecurity "maturity" through differing levels. Contractors seeking certification would work toward one of its levels. The required maturity level is stated in any defense request for proposal and is dictated by the types of data managed by the vendor and the demands of their client agency.
Under version 1.0, maturity is defined by both "processes" (the overarching capabilities of the organization) and "practices" (a measure of cyber hygiene based on the number of controls implemented from NIST 800-171).
The five maturity levels of CMMC 1.0 are as follows:
- Level 1: At Level 1, vendors are expected to have "basic" cyber hygiene (17 total controls) and the ability to implement them as needed. Level 1 is the minimum requirement for a contractor to handle FCI.
- Level 2: At Level 2, vendors should have "intermediate" cyber hygiene (48 controls) and the ability to document the implementation of those controls to support repeated implementation over time.
- Level 3: Level 3 expects vendors to have "good" cyber hygiene (110 controls) and the capacity to manage their overall security system (including creating mission and goal statements, resourcing, training, and communicating with relevant stakeholders). Level 3 is the minimum requirement for a contractor to handle CUI.
- Level 4: Contractors are expected to take advanced cybersecurity postures. This means having "proactive" cyber hygiene (156 controls) geared toward addressing some of the most advanced hacking tactics. Additionally, these organizations should be able to review their security infrastructure, collect data, create metrics, and measure effectiveness.
- Level 5: The highest standing, Level 5 calls for "advanced proactive" hygiene geared toward detecting and mitigating advanced persistent threats (171 controls). Finally, organizations at this level are expected to be able to take everything they’ve implemented, standardize it, optimize it, and demonstrate the ability to do so regularly.
What Is a Certified Third-Party Assessment Organization?
The other major update from CMMC 1.0 is the requirement of a third-party assessment through a Certified Third-Party Assessment organization.
C3PAOs are critical security firms in defense cybersecurity that have received accreditation from the CMMC Accreditation Body (CMMC-AB) to provide audits of defense contractors. Any organization familiar with other security frameworks like FedRAMP will immediately recognize this process. CMMC borrows some of its auditing process from the same documents, namely NIST 800-53 and FIPS 140-2.
One of the drawbacks to working with a C3PAO is that they cannot also serve as a consultant with your organization. That’s why there is a secondary designation under regulations—the Registered Provider Organization. An RPO can provide consulting, recommendations, and advice to clients who are preparing for their compliance journey. The same security firm can never serve as both an RPO and a C3PAO for a single organization.
What Is CMMC 2.0?
In November of 2021, the DoD revised requirements based on feedback from partner organizations and firms undergoing the C3PAO certification process. Their goal with this revision was to streamline the framework to make it less costly and time-consuming for all stakeholders without sacrificing effectiveness.
The proposed changes under version 2.0 include the following:
- Reducing Maturity Levels From Five to Three: Under 2.0, the new model will only include three maturity levels. Level 1 will still be the minimum to handle FCI and require 17 practices from NIST 800-171. Level 2 will be the minimum level for managing CUI and represents a merger of the original second and third levels with a required 110 total practices. Finally, Level 3 will include 110+ required practices (determined by the needs of the client agency).
- Only Limited Requirements for C3PAOs: Rather than require a C3PAO for all contractors, version 2.0 only requires a triannual third-party audit for certification at Levels 2 and 3. Contractors seeking Level 1 certification (and a limited number of those seeking specific Level 2 certifications) can opt for annual self-attestation.
- Plan of Action and Milestones: Some other frameworks included the option for audited contractors to submit a POA&M at the end of their audits. Suppose their auditor determined that the contract was not fully compliant but could be compliant in a reasonable time frame with relatively simple changes. In that case, they could authorize the contractor with a completed and binding POA&M. CMMC 1.0 did not allow this approach—the contractor had to be fully compliant to receive certification. Under version 2.0, the DoD will allow for POA&Ms under certain conditions.
The CMMC 2.0 model is currently just a publication and undergoing review and rulemaking processes. It is expected to finish that process in 9–24 months. In the meantime, the CMMC-AB still honors and operates under version 1.0 audits and certifications.
How To Approach CMMC Certification
CMMC is very prescriptive, and with the help of trained professionals, it can sometimes simply mean understanding requirements, implementing them, and working toward certification.
There are, however, a few best practices to help the certification process:
- Use the Marketplace: The CMMC-AB website includes a marketplace for both RPOs and C3PAOs (even those currently undergoing their own certification). Always select potential partners from this site, a real, authenticated, and legitimate source for reputable security firms in this market.
- Work With Compliant Technology: More likely than not, businesses work with some cloud provider, managed service provider, or file management vendor as part of their operations. Maintaining compliance requires that companies vet their vendors and only work with those who have or can support certified technology.
- Work With an RPO: Don’t make things harder than they need to be. While a C3PAO can help with your audit, an RPO can help prepare for that audit in ways a C3PAO can’t. Look into RPO and CMMC advisory services as you start with compliance efforts.
- Get Ready for Version 2.0: If you are already working through CMMC now, then you will receive certification under regulations and be grandfathered into CMMC 2.0. The DoD is already preparing for that transition, but in the meantime it is best to know now what your obligations will be under a new framework.
CMMC Certification To Support the Defense of the Nation
Certification isn’t just another hoop—it is a critical part of your work as a contractor in the defense industrial base supply chain. Your technology, practices, people, and operation must be aligned with this important security model. However, the rewards for compliance also contribute to your business with better security, better resources, and a more mature cybersecurity posture overall.
To learn more about Kiteworks, compliance, and the CMMC framework, read our whitepaper on CMMC Compliance. Or, to learn more about how the Kiteworks platform supports your business goals, contact the team to set up a tailored demo.
Get email updates with our latest blogs news