This post contains information regarding the CMMC 2.0 model.
The DoD is in the process of writing rules to clarify the changes made in CMMC 2.0. This could take 9-24 months to complete. Meanwhile, DoD recommends that contractors work toward compliance with NIST SP 800-171 as the required controls can take months to implement.
The Cybersecurity Maturity Model Certification (CMMC) program was created by the U.S. Department of Defense (DoD) in order to improve the cybersecurity efforts of the national defense supply chain. This regulatory compliance program incorporates three levels of fundamental cybersecurity requirements into the acquisition and contract process. The CMMC 2.0 model requirements provide greater assurance to the DoD that defense contractors and subcontractors are taking measures to protect sensitive controlled unclassified information (CUI) within their systems.
As a precursor to CMMC, the DoD released a DFARS amendment, (DFARS Case 2019-D041), or the DFARS Interim Rule. The rule establishes requirements for the reporting of NIST SP 800-171 self-assessment compliance scores and remediation beginning November 30, 2020.
What was the CMMC 1.0 Model?
CMMC 2.0 replaced the original 1.0 model in November 2021. Read about CMMC 2.0.
The government’s initial approach to improving the fundamental security controls within the Defense Industrial Base (DIB) required compliance with NIST SP 800-171 through DFARS 252.204-7012. Contractors had to self-attest to compliance with the 110 controls outlined in the publication. However, when self-attestation with NIST SP 800-171 was deemed lacking, the government released what is now referred to as “CMMC 1.0” in early 2020.
This version of CMMC contained five “maturity levels,” requiring that contractors with access only to federal contract information (FCI) certify at Level 1 and implement 17 controls. Next, those with access to any amount of CUI had to certify at Level 3 and implement 130 controls, 20 of which were CMMC-specific and added to the foundational 110 NIST SP 800-171 controls. Finally, certain companies subject to increased CUI protection had to certify at Level 5 and implement 171 controls. Levels 2 and 4 were transition steps to Levels 3 and 5, respectively. No company could certify at Level 2 or 4.
Mandatory Third-Party Certification
Unlike NIST SP 800-171, CMMC 1.0 did not offer the option to self-attest to compliance in order to qualify for a contract. Instead, each contractor whose system contained any amount of CUI needed an assessment by a Certified Third-Party Assessor Organization (C3PAO). With an estimated 300,000 contractors affected by the regulations and only five C3PAOs available to perform assessments (as of November 2020), the DoD quickly realized that their initial goals were unsustainable.
The certification process was originally planned to begin as C3PAOs became available. In an effort to minimize barriers to program implementation, the DoD began its internal review of the program in March 2021. Ultimately, this review led to the announcement of major program changes in November 2021: CMMC 2.0.
What is the CMMC 2.0 Model?
The DoD announced changes to its new cybersecurity model on November 4, 2021. Introducing several changes that build on and refine the original program requirements, the CMMC 2.0 model includes three key features:
- Tiered Model: Companies entrusted with national security information, depending on the type and sensitivity, must implement cybersecurity standards at progressively higher levels. The program also establishes a procedure for information flow down to subcontractors.
- Assessment Requirement: CMMC assessments enable the DoD to confirm the implementation of clear cybersecurity standards.
- Implementation through contracts: Once requirements are fully implemented, certain DoD contractors who handle sensitive unclassified DoD information must meet a specific CMMC level as a condition of contract award.
CMMC 2.0 changes the model from five to three compliance levels, taking out the “stepping stone” Levels 2 and 4. Now, the model aligns with widely accepted National Institute of Standards and Technology (NIST) cybersecurity standards.
CMMC 1.0 Levels
CMMC 2.0 Levels
CMMC 1.0 Requirements
CMMC 2.0 Requirements
Failure to meet any qualifications required by a level will result in a lower level of certification and loss of DoD contract eligibility.
More Access to Certification
The rules to implement CMMC 2.0 are forthcoming. This could take anywhere from 9-24 months to complete. The DoD said that “CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program”1. However, the DoD and cybersecurity service providers recommend that contractors work toward compliance as the required controls take months to implement.