CMMC 2.0 Compliance

CMMC 2.0 Compliance: Controls, Levels & Requirements

If you're in the business of selling or providing services/products to the U.S. Department of Defense (DoD), then you need to know about CMMC 2.0.

It can appear complicated, and it's going to affect how you do business with the DoD in the future. But don't worry – we're here to help make sense of all the information.

CMMC 2.0, announced on 11/4/2021, includes updates to streamline the tiered model of certification levels, assessment procedures, and a little more clarity on what Organizations Seeking Certification (OSC) can do to prepare and succeed under CMMC.

In this guide, we'll cover all the details of CMMC 2.0, including what’s changed and what it means to DoD contractors and companies in the Defense Industrial Base (DIB).

This CMMC compliance guide discusses the updated controls and levels, compliance requirements, the assessment process, and how you can work to ensure compliance.

 

Want to learn more about the CMMC 2.0 model? 

Hoop5 has helped DoD service providers, manufacturers, and contractors understand cybersecurity practices for CMMC, including how National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, 7019, 7020, and 7021 can impact their business and how they can prepare. 

What is CMMC 2.0?

The CMMC framework increases the cybersecurity posture of organizations in the Defense Industrial Base (DIB).

It’s designed to validate the protection of controlled unclassified information (CUI) that the DoD shares with its contractors and subcontractors.

The CMMC framework incorporates a set of cybersecurity requirements into contracts and assures the DoD that contractors and subcontractors are meeting these requirements.

The CMMC framework has three key features, including a tiered model, assessments, and implementation through contracts. 

Tiered model

The tiered model requires companies entrusted with national security information to implement cybersecurity standards at progressively higher levels, based on the type of information and its sensitivity. This model also establishes the processes for disseminating this information to subcontractors.

Assessments

CMMC assessments allow the DoD to verify that the contractor has implemented the required cybersecurity standards.

Implementation

Some DoD contractors that handle CUI will also need to achieve a specified CMMC level as a condition of receiving the contract once CMMC is fully implemented.

From the surface, it appears there were a lot of drastic changes from CMMC 1.02 to CMMC 2.0. However, when you look at what is required today vs what will be required in the future, things didn’t really change that much.

NIST SP 800-171 is, and always has been, the backbone and associated focus of protecting the confidentiality of CUI. Under NIST 800-171, contractors are required to show policy and procedure documentation, to support their implementation.

CMMC was originally developed to verify that the accountability of defense contractors was taking place, versus a self-assessing trust model that wasn't working.

  • It trims the number of CMMC levels from five to three. The new CMMC 2.0 levels are: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).

  • CMMC 2.0 dropped 20 security requirements for the new CMMC Level 2. It now dovetails completely with the 110 security controls of NIST SP 800-171. The new Level 2 certification will indicate that an organization is able to securely store and share CUI.

  • Whereas POAMs were not allowed in 1.0, CMMC 2.0 will allow for limited use of Plans of Actions and Milestones (POAMs). POAMs can only be used for 1 point controls, not the more complex 3 or 5 point controls.

  • Waivers for certification will be permitted in very limited circumstances.

CMMC 1.0 to 2.0 Changes

3 Levels of CMMC 2.0

CMMC 2.0 eliminates Levels 2 and 4 of CMMC 1.0, which were transition levels between the levels immediately above and below them. The new CMMC 2.0 levels are based on the type of information that DIB organizations handle, as described below:

CMMC 2.0: Level 1 (Foundational)

Only applies to companies that focus on the protection of FCI. It is comparable to the old CMMC Level 1. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. These controls look to protect covered contractor information systems, limit access to authorized users.

CMMC 2.0: Level 2 (Advanced)

is for companies working with CUI. It is comparable to the old CMMC Level 3.
CMMC 2.0 Level 2 (Advanced) requirements will mirror NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC will be eliminated. Instead, Level 2 aligns with the 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI. Accordingly, the 20 requirements in the old CMMC Level 3 that the DoD had imposed were dropped, meaning that the new Level 2 (Advanced) is in complete alignment with NIST SP 800-171.

CMMC 2.0: Level 3 (Expert)

is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. It is comparable to the old CMMC Level 5. The DoD is still determining the specific security requirements for the Level 3 (Expert), but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.

17 CMMC Domains

Access Control (AC)

Asset Management (AM)

Audit and Accountability (AA)

Awareness and Training (AT)

Configuration Management (CM)

Identification and Authentication (IDA)

Incident Response (IR)

Maintenance (MA)

Media Protection (MP)

Personnel Security (PS)

Physical Protection (PP)

Recovery (RE)

Risk Management (RM)

Security Assessment (SAS)

Situational Awareness (SA)

System and Communication Protection (SCP)

System and Information Integrity (SII)

Who Needs CMMC Certification?

Every contractor in the defense industrial base must conduct a self-assessment once per year. However, the same is not true for third-party assessments. CMMC 2.0 understands that different types of sensitive information require different degrees of protection. As such, third-party assessment requirements will consequently be based on the type of information DIB companies are working with.

Companies seeking Level 1 requirements will not require 3rd party certification. Instead, the contractor must specify the people, technology, facilities and external providers within their environment that process, store or transmit FCI. Companies will be required to self-certify once per year that they meet the basic safeguarding requirements for FCI specified in FAR clause 52.204.21

If you’re seeking CMMC level 2, you can expect to need a third-party assessment every three years. The DoD has rolled back its earlier statements that it will bifurcate level 2 requirements. This means that you should plan on being assessed by accredited C3PAOs (CMMC Third Party Assessment Organizations) or certified CMMC Assessors.

Companies seeking Level 3 (Expert) compliance will need to meet the security requirements specified in NIST SP 800-171 plus a subset of requirements specified in NIST SP 800-172. The DoD is still in the process of determining how organizations seeking level 3 compliance will be assessed. However, those companies will require a DIBCAC audit to achieve compliance.

At present, no assessments by C3PAOs of defense contractors are currently taking place. The DoD is expected to rollout the final assessment process for C3PAOs in the summer of 2022. At that time, contracts will be able to undergo voluntary assessments with certified C3PAOs.

Cost of CMMC 2.0 Compliance

CMMC 2.0 costs are projected to be significantly lower relative to CMMC 1.0 as a result of plans to streamline requirements at all levels, increase oversight of the third-party assessment ecosystem, and allow contractors at the new Level 1 to perform self-assessments rather than undergo third-party assessments.That said, the cost of CMMC compliance depends on a number of factors.*

Size

While the size of the organization seeking compliance can have a significant impact on overall project costs, the actual number of employees accessing CUI is the more significant driver in determining overall costs of CMMC compliance. As such organizations should limit the the number of employees and technologies touching CUI in order to best manage the compliance boundary and cost.

Maturity

If you’re starting from scratch, your compliance journey will likely cost more, and take longer, than a company that’s further along in their process to start with. Things to consider include the overall maturity level of documentation development, technology implementation, and what processes and procedures are already documented and in use.

Technology Implementation

Achieving CMMC compliance will require a combination of policy as well as technology. The more technologies though that your organization has to implement, the greater your costs. Some of the more expensive technologies include SIEM, vulnerability scanning tools and FIPS 140-2 validated technology tools.

Cost Breakdown

For most organizations, consulting costs will make up the bulk of their budget. This includes policy, procedure, documentation creation and gap analysis. Current industry standards show consulting costs range from between $5,000-$25,000 on consulting costs alone as a SMB.

How to Get Started with CMMC 2.0 Compliance

If you’re a defense contractor looking to start your CMMC compliance journey, you should look to meet the 110 controls in NIST 800-171. Don’t procrastinate. Preparation to meet these controls can take up to 18 months.

Here to Help

As a CMMC Registered Provider Organization (RPO), Hoop5 is here to help you meet your security and compliance needs.

We specialize in compliance services and managed security for companies who need to obtain CMMC. We can also conduct an assessment and perform the remediation needed to pass an audit for the required CMMC level.

Contact us today to see how we can save you time and money in obtaining CMMC compliance.