CMMC 1.0 vs. CMMC 2.0: What's Changed and What It Means for Your Business
The Cybersecurity Maturity Model Certification (CMMC) is a set of overarching cybersecurity standards and practices that organizations in the Defense Industrial Base (DIB) must implement to protect their business data. Introduced by the U.S. Department of Defense (DoD) in 2020, CMMC was designed to protect the confidentiality of federal contract information (FCI) and controlled unclassified information (CUI).
Because of the sensitivity of information handled by companies that contract with the Department of Defense (DoD), contractors and subcontractors are required to achieve compliance with at least one level of the CMMC. In doing so, organizations operating within the DoD supply chain must meet and maintain a good cybersecurity posture. Phased implementation begins later this year with late 2025 targeted for full implementation.
What Is CMMC?
The Cybersecurity Maturity Model Certification, or CMMC, is a unified set of cybersecurity standards and practices applicable to all DoD contractors. It provides a unified set of requirements that organizations must meet to protect FCI and CUI from unauthorized access and modification. CMMC is designed to ensure that DoD contractors comply with government cybersecurity regulations and prevent the unauthorized handling and dissemination of sensitive content.
Why Is It Important?
CMMC is important for two reasons. First, it provides organizations with a framework for meeting DoD cybersecurity standards. Second, it helps organizations protect the confidentiality of FCI and CUI. This is important for DoD contractors, as the unauthorized access or modification of FCI and CUI could result in significant financial, reputational, and legal repercussions.
From CMMC 1.0 to CMMC 2.0
In November 2021, the DoD announced that it would be implementing CMMC 2.0 in place of CMMC 1.0. This updated framework implements several changes to increase the cyber hygiene of all contractors that hold or participate in DoD contracts. The DoD announced it would engage in rulemaking over the subsequent 9 to 24 months, making it critical for federal contractors and subcontractors to prepare for the implementation of CMMC 2.0 so that they can achieve compliance.
CMMC 1.0, released in 2020, includes control domains and security practices, which are divided into five security maturity levels ranging from basic cyber hygiene (Level 1) to advanced/progressive (Level 5). CMMC 2.0 reduced the maturity levels from 5 to 3. CMMC 2.0 removed Levels 2 and 4. Maturity Level 1 remained unchanged. It still has 17 practice requirements that align with the 15 cybersecurity practices in FAR Clause 52.204-21.
CMMC 2.0 Level 2 takes the place of the previous maturity Level 3, but without the delta 20 practices, aligning this level with the 110 practices of NIST SP 800-171. CMMC 2.0 Level 3 is still under development based on a subset of NIST 800-172. It takes the place of the previous maturity Levels 4 and 5.
CMMC 1.0 vs. CMMC 2.0: Major Differences
Some of the major differences that came with the introduction of CMMC 2.0 from CMMC 1.0 include:
The CMMC 1.0 model established five certification levels, while the CMMC 2.0 model has consolidated the certification levels to three. The certification levels are critical for determining the security requirements for the specific contract.
For CMMC 2.0, Level 1 (Foundational) is necessary for DoD contractors and subcontractors that handle FCI. CMMC 2.0 Level 1 requires organizations to adhere to basic cybersecurity practices focused on protecting FCI, as specified in FAR Clause 52.204-21.
CMMC 2.0 Level 2 (Advanced) requires organizations to have more robust cybersecurity practices in place, such as access control, incident response, and media protection. This level is designed to protect the integrity and availability of CUI from more sophisticated threats. The Advanced level is aligned with National Institute of Standards & Technology SP 800-171 (NIST 800-171). This level requires triennial third-party assessments by a CMMC Third Party Assessor Organization (C3PAO).
Level 3 (Expert) is the highest level of CMMC and requires the implementation of advanced practices such as system hardening and data recovery. This level is designed to protect the confidentiality, integrity, and availability of CUI from advanced persistent threats. Information on Level 3 will be released later and will contain a subset of the security requirements specified in NIST SP 800-172.
The number of security domains included in the CMMC 2.0 model has increased significantly when compared to the CMMC 1.0 model. The additional domains relate more closely to day-to-day operations and include topics such as Incident Response, Anomaly Detection, Supply Chain Risk Management, and System Security Planning. These new domains provide a more comprehensive view of a contractor’s operations and provide more assurance of the security of their assets.
The CMMC 2.0 model requires the use of C3PAO for Level 2 and Level 3. C3PAOs are entrusted with assessing and certifying that companies in the DIB supply chain have met the cybersecurity requirements of the CMMC standard. Their responsibilities include evaluating and issuing certificates of adherence to the CMMC standard.
Best Practices for Achieving CMMC 2.0 Compliance
For an organization to successfully comply and be certified for any of the three levels of CMMC 2.0 compliance, it needs to follow some best practices, which include:
Implementing Security Controls
The first step in achieving CMMC 2.0 compliance is to implement security controls. To begin, organizations should identify their current compliance requirements and establish a baseline risk assessment that outlines the scope of the security controls that must be implemented. Security controls should be tailored to an organization’s specific needs, making sure that all systems and processes are covered. Organizations should take into consideration the technical and procedural measures necessary to protect information and systems, such as access control, identity and authentication management, configuration management, segregation of duties, data security, system patching and vulnerability management, security training, and incident response plans.
Conducting Continuous Monitoring
Once the security controls are in place, organizations should ensure they are continuously monitored. Continuous monitoring involves regularly assessing the environment to ensure the effectiveness of the security controls implemented and that current threats are identified and addressed in a timely manner. Organizations should develop a process to identify, assess, and remediate any issues that may arise during monitoring activities. This process should include measures to document any security incidents, review security activities and trends, and take appropriate actions when necessary.
Establishing Incident Response Plans
Organizations should also establish an incident response plan prior to attempting CMMC 2.0 compliance. This plan should outline the steps an organization will take if it experiences a security incident, such as the types of incidents that will trigger a response, the roles and responsibilities of personnel involved, the processes to be followed, and the appropriate communication activities. It is also important for organizations to develop a plan for recovering from a security incident, including identifying the data and systems to be restored, the steps necessary to restore them, and the personnel that should be notified. Additionally, organizations should make sure to regularly review and update their incident response plans to ensure they are up to date and effective.
Organizations should document their processes and activities to demonstrate compliance with CMMC 2.0. Documentation should include any security policies, procedures, and training activities; incident response plans; and assessment results. It is important to ensure that all documentation is accurate, up to date, and easily accessible. Organizations should also make sure that all personnel are familiar with the documentation, including how to use it and what it covers. Additionally, organizations should develop procedures to ensure that the documentation is regularly reviewed and updated to keep pace with changes in the environment.
Frequently Asked Questions
Why Is CMMC Compliance Important?
The DoD mandates that all contractors adhere to the CMMC requirements to be eligible for government contracts. This ensures that these contractors understand and are actively implementing protective measures against malicious actors and data breaches. CMMC compliance is also important for organizations to demonstrate their commitment to cybersecurity and demonstrate that sensitive customer data is properly protected.
What Are CMMC Security Requirements?
CMMC security requirements are a set of security standards designed to help organizations secure their networks, protect their data, and comply with applicable laws and regulations. The requirements are divided into the three CMMC 2.0 levels outlined above and cover areas such as access control, configuration management, incident response, media protection, system and communications protection, personnel security, and physical protection.
How Do CMMC Requirements Differ From NIST SP 800-171 Requirements?
CMMC 2.0 Level 2 is aligned with NIST SP 800-171, specifying that organizations in the DIB to self-certify—either be compliant or to take concrete steps toward compliance. CMMC Levels 2 and 3 make provisions for C3PAOs to assess organizations and assign a maturity level based on the state of its cybersecurity program. Level 1, the Foundational level, only requires self-assessment.
Accelerating CMMC Compliance With Kiteworks
Kiteworks is a trusted provider of cybersecurity solutions for federal agencies like the DoD as well as various DIB suppliers that require CMMC certification. Because Kiteworks is FedRAMP Authorized for Moderate Level Impact, DoD suppliers using Kiteworks benefit from support for nearly 90% of CMMC 2.0 Level 2 requirements out of the box. This significantly reduces the time required for DoD contractors and subcontractors to obtain CMMC Level 2 compliance.
This translates into positive outcomes when a DoD supplier goes through a C3PAO audit. Specifically, the Kiteworks Private Content Network helps them streamline the CMMC processes and audit procedures, making the whole process faster and more efficient. With Kiteworks’ support, DoD contractors can protect their DoD business by obtaining CMMC compliance quickly and easily.
Schedule a custom demo tailored to see the Kiteworks platform in action and how it can accelerate your CMMC compliance journey.
Get email updates with our latest blogs news