New CMMC 2.0 Requirements To Take Effect Soon for DoD Suppliers

New requirements are coming for working for the US Department of Defense (DoD). Specifically, contractors working for the (DoD) and the Defense Industrial Base (DIB) and all subcontractors servicing DoD contractors (including organizations that work for companies that work directly with the DoD) must soon comply with new updates to the Cybersecurity Maturity Model Certification (CMMC) program. Commonly referred to as CMMC 2.0, the updated program requirements are designed to protect the DoD, companies that service the defense industry and US military technologies and information from persistent, ever-evolving cybersecurity threats. 

 While updated requirements and practices included within CMMC 2.0 are still being finalized, the new standards will be required of DoD contractors and subcontractors as soon as the corresponding rule making process completes. CMMC director Stacy Bostjanick confirmed at a cybersecurity conference in April 2022 that the Pentagon is working to have the new rules in force by May 2023. New CMCC 2.0 compliance requirements could then begin appearing within new DoD contracts as soon as July 2023. 

 The first CMMC requirements were announced in September 2020 and took effect November 30, 2020. The revised standards should come as no surprise, as the DoD one year later (in November 2021) alerted defense industry suppliers that updated CMCC standards would be forthcoming. 

 The initial CMMC program introduced three specific elements. The first was the introduction of a tiered model in which participants must establish and manage increasingly advanced cybersecurity protections based on the type of defense information with which they work. The second was a requirement participants permit the DoD to verify the participant’s compliance. CMCC’s third element advanced program introduction via contracts awarded to contractors and their subcontractors. Under CMCC, even defense industry participants handling unclassified but sensitive information must also meet the program’s cybersecurity standards, practices and requirements at specific levels to prove eligible for contracts. 

 CMCC 2.0 updates the program’s structure and adds new security requirements. The DoD states the revised framework better protects sensitive information while simplifying compliance by permitting participants to perform self-assessments, in some cases. The new standards update DIB cybersecurity standards and emphasize accountability and the importance of building a collaborative cybersecurity culture. The updated model also presents priorities for protecting DoD information, while bolstering cooperative cybersecurity response strategies between the DoD and defense suppliers.  

 Under CMCC 2.0, instead of there being five levels of cybersecurity compliance, the model is being streamlined to including just three tiers. Further, the tiers are aligned with cybersecurity standards widely adopted and prescribed by the National Institute of Standards and Technology (NIST). 

 Here’s how the new three-tier structure will work. The first tier—Level 1 Foundational—will require compliance with 17 fundamental cybersecurity practices and targets non-critical national security Federal Contract Information (FCI) and requires an annual self-assessment. The second tier—Level 2 Advanced—increases to requiring compliance with 110 NIST-aligned cybersecurity practices, targets both controlled unclassified information (CUI) and non-prioritized as well as prioritized acquisitions and requires triennial (every three years) third-party assessment certification. The top tier—Level 3 Expert—requires compliance with more than 110 NISP-aligned cybersecurity practices, targets CUI and highest priority initiatives and requires triennial government-led assessment certification. More information on CMMC 2.0’s specific practices can be reviewed on the DoD website here.  

 The newly updated standards will permit companies with foundational Level 1 compliance, as well as a subset of firms possessing advanced Level 2 certification, to prove their compliance using self-assessments. Greater accountability, meanwhile, will increase the oversight provided to third-party assessors. 

 Collaboration is enhanced due to firms, in specific cases, gaining the ability to execute their own Plans of Action & Milestones (POA&Ms) for CMCC certification. Further, the DoD is introducing the ability to actually waive CMCC requirements on specific, limited occasions. 

 To assist organizations in earning and maintaining CMCC compliance, the government provides numerous resources describing and detailing various program aspects, including: 

• The Cybersecurity Maturity Model Certification Version 2.0 Overview Briefing
• CMMC 2.0 Reference Information
• A Defense Industrial Base (DIB) Cybersecurity Portal
• Defense Federal Acquisition Regulation Supplements
• Department of Defense Cyber Crime Center (DC3) Resources List
• The NIST Cybersecurity Framework
• Department of Defense (DoD) Defense Industrial Base (DIB) Cyber Security (CS) Activities
• Defense Federal Acquisition Regulation Supplement (DFARS) Covered Defense Information and Cyber Incident Reporting Guidance
• DIB Tech Talk: Meet DoD DC3 DCISE Video
• DIB Tech Talk: In-Depth Look at DoD DIB Cybersecurity Program Video
• A comprehensive CMCC 2.0 Resources List

Do you have more questions or does your organization need assistance assessing or navigating CMMC compliance? Contact a Louisville Geek expert for help understanding the DoD’s new CMMC 2.0 standards. Call 502-897-7577 or email [email protected].