CMMC 2.0 COMPLIANCE FAQ’s
On November 4, 2021, the Department of Defense announced plans to suspend the current Cybersecurity Maturity Model Certification (CMMC) program and replacing it with a more comprehensive framework, CMMC 2.0 to protect the defense industrial base from increasingly frequent and complex cyberattacks. According to the official release, CMMC 2.0:
• Cuts red tape for small and medium sized businesses
• Sets priorities for protecting DoD information
• Reinforces cooperation between the DoD and industry in addressing evolving cyber threats
Who must comply with CMMC?
The short answer is all DoD contractors. CMMC applies to anyone in the defense contract supply chain. These include contractors who engage directly with the Department of Defense and subcontractors contracting with primes to fulfill and/or execute those contracts.
In other words, if your business performs contract work for a company that works directly with the DoD (ex. General Motors), your organization must comply with CMMC.
What does CMMC compliance stand for?
Cybersecurity Maturity Model Certification.
What does DIB stand for?
DIB stands for the Defense Industrial Base.
What is CMMC compliance?
CMMC (Cybersecurity Maturity Model Certification) is a system of compliance levels that helps the government, specifically the Department of Defense, determine whether an organization has the security necessary to work with controlled or otherwise vulnerable data.
What is CMMC 2.0 compliance?
The Department of Defense launched CMMC 2.0, in November 2021 and was structured to make certification more effective for contractors in the DIB. These changes include a complete restructuring of CMMC’s maturity levels by eliminating two of the original five ratings, improved assessment protocols that reduce costs for contractors, and the introduction of a more flexible path to certification through Plans of Action & Milestones (POA&Ms).
Are there different certification levels of CMMC 2.0?
Yes, there are 3 levels of CMMC 2.0
Level 1 is the most basic level of CMMC compliance and includes basic security systems, password hygiene and antivirus protection software. It’s the most foundational form of security.
Level 5, the highest level of CMMC compliance, includes proactive techniques to detect and resolve threats before they begin. as well as systems and processes in place to audit infrastructure, identify gaps and fix them. The additional controls, practices and processes deliver a deeper and more sophisticated cybersecurity posture.
What are the main differences between CMMC and CMMC 2.0?
One significant change will be the reduction in security compliance levels from five to three.
Level 1, aka the “foundational level,” includes 10 mandatory cybersecurity practices and require annual self-assessments.
Level 2, the “advanced level,” requires compliance with the 110 practices aligned with the National Institute of Standards and Technology (NIST) Special Publication 800-171, as set forth in DFARS 252.204-7012.
Under Level 3, the “expert level,” contractors will need to employ cyber hygiene that goes beyond the 110 NIST standard practices.
Under CMMC 2.0, all Level 1 category companies and a subset of Level 2 companies can rely on self-assessments. The remaining Level 2 companies must undergo third-party assessments on a triennial basis. All companies in Level 3 will require triennial government-led assessments rather than third-party assessments. CMMC 2.0 will allow for waivers to the cybersecurity requirements under certain limited circumstances when the DOD must acquire select mission-critical requirements.
Additionally, CMMC 2.0 dropped 20 security requirements for the new CMMC Level 2. It now dovetails completely with the 110 security controls of NIST SP 800-171. The new Level 2 certification will indicate that an organization is able to securely store and share CUI.
When must organizations become CMMC 2.0 compliant?
While the DoD could expedite the model’s role out, CMMC 2.0 is expected to go into effect in May 2023 and be in contracts by July 2023.
How do organizations get CMMC certification?
Organizations are not allowed to self-certify for the CMMC. Rather, government contractors and those who work with government entities must go through a third-party certification process. This third party will audit their current security measures and methods and identify what level of maturity and preparedness they meet.
Because CMMC certification cannot be self-certified and requires a third-party analysis, most companies will undergo a thorough audit before they attempt to certify. A managed services provider like Louisville Geek can help a company go through the CMMC framework, determine if there are improvements that could be made and organize the certification process itself. Once the certification process has been completed, an MSP can also create a game plan for improving the level of certification (if needed).
What does CMMC mean for MSP’s or MSSP’s?
If the MSP or MSSP processes and/or stores unencrypted Controlled Unclassified Information (CUI), then the contractor or subcontractor using their services needs to ensure that the MSP or MSSP meets the requirements of the DoD contract. MSP’s or MSSP’s who don’t have access to CUI are not required to become CMMC certified themselves. They must ensure the services they are providing meet the standards of controls the customers must adhere to.
Are Plans of Actions and Milestones (POAMs) allowed in CMMC 2.0?
While POAMs were not allowed in 1.0, CMMC 2.0 will allow for limited use of POAMs. POAMs can only be used for 1-point controls, not the more complex 3 or 5 point controls.