top of page
newspapers

News & Events

Sep 95 min read

CMMC 2.0: Your Ultimate Guide to Cybersecurity Compliance for Defense Contractors



The countdown has begun. After the announcement of the Cybersecurity Maturity Model Certification (CMMC) revamp in November 2021, the CMMC 2.0 rules are expected to be finalized in early 2025.


But before we dive into what that means for you, let’s get caught up.




From the Beginning


The Cybersecurity Maturity Model Certification (CMMC) was first introduced by the U.S. Department of Defense (DoD) in January 2020. The original version of CMMC, known as CMMC 1.0, established a framework to assess the cybersecurity practices of defense contractors across the Defense Industrial Base (DIB). It included five levels of cybersecurity maturity, ranging from basic cyber hygiene to advanced practices needed to protect Controlled Unclassified Information (CUI).


In November 2021, the DoD introduced CMMC 2.0, a streamlined version of the original model, reducing the levels from five to three and simplifying the certification process to make it more accessible and less burdensome, particularly for small and medium-sized enterprises.


Introducing CMMC 2.0


The simplified certification model introduced a variety of changes aimed at making certification and compliance more accessible.


What's New?

 

1. Reduction in Levels

CMMC 1.0


The original model had five levels of cybersecurity maturity, ranging from Level 1 (Basic Cyber Hygiene) to Level 5 (Advanced/Progressive).

CMMC 2.0


This was streamlined to three levels:


  • Level 1 (Foundational): Basic safeguarding practices aligned with Federal Contract Information (FCI) requirements.

  • Level 2 (Advanced): Aligns with NIST SP 800-171 standards for protecting Controlled Unclassified Information (CUI), equivalent to the old Level 3.

  • Level 3 (Expert): Still under development, but intended to include additional NIST SP 800-172 controls for the most sensitive defense programs.


2. Elimination of Certain Requirements

CMMC 1.0


Required all levels to undergo third-party assessments to achieve certification.

CMMC 2.0


Introduces a split approach:


  • Level 1: Requires annual self-assessments.

  • Level 2: Requires third-party assessments only for critical national security information and allows for annual self-assessments for less sensitive contracts.

  • Level 3: Requires government-led assessments for the most sensitive data and systems​.


3. Greater Alignment with Existing Standards

CMMC 1.0


Had unique cybersecurity practices that were additional to existing standards.

CMMC 2.0


Streamlines requirements to better align with existing NIST standards (NIST SP 800-171 and SP 800-172), reducing the complexity and redundancy for contractors already following these guidelines.


4. Clarification of Requirements

CMMC 1.0


Some requirements and practices were considered vague or difficult to implement consistently.

CMMC 2.0


Aims to provide clearer guidance on what is required at each level, simplifying the documentation and evidence needed for certification​.


5. Flexibility in Compliance

CMMC 1.0


Contractors were required to meet all practices and processes for each level comprehensively.

CMMC 2.0


Offers more flexibility by allowing contractors to demonstrate compliance through self-assessments or third-party assessments, depending on the sensitivity of the data being handled​.


6. Removal of Maturity Processes

CMMC 1.0


Included maturity processes as part of the requirements for Levels 2 through 5.

CMMC 2.0


Removes these maturity processes, focusing instead on technical controls that contractors must implement to protect information​.


7. Enhanced Focus on Self-Assessment and Accountability

CMMC 1.0


Required third-party assessments for most contractors.

CMMC 2.0


Introduces a self-assessment component for Level 1 and some Level 2 contracts, with an annual affirmation of compliance by senior officials within the contractor organization. This change aims to reduce costs and administrative burdens, particularly for smaller contractors​.


CMMC 2.0 Today


As of 2024, the Cybersecurity Maturity Model Certification (CMMC) 2.0 is advancing towards full implementation, with several significant updates and steps forward from the Department of Defense (DoD).



Key Updates in 2024

 

  1. Proposed Rule and Public Comment Period: In August 2024, the DoD released an updated proposed rule for the Defense Federal Acquisition Regulation Supplement (DFARS) related to CMMC 2.0. This proposed rule outlines new requirements for defense contractors, including a 72-hour notification requirement for any "lapses in information security" or changes to their CMMC certification status. There is a 60-day public comment period ending on October 15, 2024, allowing stakeholders to provide feedback on these new rules​.

  2. Continuous Compliance and New Obligations: The proposed rule mandates that contractors maintain their CMMC certification level throughout the contract duration. This includes a requirement for an annual affirmation of "continuous compliance" with cybersecurity requirements, which must be submitted to the DoD. Additionally, prime contractors are responsible for ensuring that their subcontractors are also CMMC compliant. This introduces new layers of responsibility and potential complexities for defense contractors​.

  3. Finalization and Implementation Timeline: The final rules are likely to be published in the Federal Register no later than October 25, 2024. After this, there will be a minimum 60-day period before the rules become effective, meaning enforcement could begin in early 2025. This timeline suggests that defense contractors should be prepared to comply with CMMC 2.0 requirements starting from early 2025, with a phased rollout of the program expected over the next few years.



How CRI Supports Your CMMC 2.0 Compliance Journey


As a partner specializing in government compliance, CRI provides a comprehensive suite of services to help defense contractors navigate the complexities of CMMC 2.0. Our approach is designed to align with the requirements of the new framework while minimizing disruption to your business operations.


  • Analysis and Readiness Assessment: We conduct thorough analyses to evaluate your current cybersecurity posture against the CMMC 2.0 requirements. Our readiness assessments are tailored to identify specific areas that need enhancement to achieve desired certification levels.


  • Policy Development and Implementation: CRI helps develop and implement robust cybersecurity policies that align with CMMC 2.0 requirements. This includes creating documentation, controls, and procedures essential for compliance at each maturity level.


  • Audit Support: We provide complete audit lifecycle support. From risk identification, to correction, to testing, and finally to facilitating and interfacing with the auditors.


  • Continuous Monitoring and Support: Our team provides ongoing monitoring and support to ensure continuous compliance. We detect vulnerabilities, manage risks, and respond to incidents promptly.


  • Training and Awareness: We offer training to ensure your team is well-versed in cybersecurity best practices and CMMC requirements. This is crucial in maintaining compliance and safeguarding sensitive information.






CRI as a Costpoint GovCon Cloud Moderate (GCCM) Partner


One of the key differentiators of CRI is our strategic partnership as a Costpoint GovCon Cloud Moderate (GCCM) partner. Deltek Costpoint, known for its robust financial and project management capabilities, offers a secure and compliant cloud environment specifically designed for government contractors. As a GCCM partner, we provide an integrated solution that meets the stringent requirements of the DoD and other federal agencies.


Benefits of Choosing CRI as Your GCCM Partner:


  • Enhanced Security and Data Storage: The GovCon Cloud Moderate environment ensures compliance with the Federal Risk and Authorization Management Program (FedRAMP) and the Defense Federal Acquisition Regulation Supplement (DFARS). This aligns seamlessly with CMMC 2.0 requirements, providing a secure environment for storing CUI, CDI, and ITAR data in the cloud, eliminating the need and cost for on premises equipment.


  • Seamless Implementations: As a Costpoint GovCon Cloud Moderate (GCCM) Implementation Partner, CRI is set up to assist customers through a successful GCCM go live. This includes completing a Deltek Global Information Security (GIS) review and having staff members participate in a GCCM specific training program. We are extremely well versed in the security and compliance needs that contractors face, having guided many GovCon clients through successful Costpoint implementations and bring a level of thoroughness and care that is unmatched.





Conclusion


Navigating the complexities of CMMC 2.0 is crucial for defense contractors looking to secure their place in the DoD supply chain. With the final rulemaking expected soon, now is the time to act. CRI stands ready to guide you through this transition with our expertise in compliance and our strategic partnership as a Costpoint GovCon Cloud Moderate partner. Together, we can build a robust cybersecurity foundation that protects your business and meets all regulatory requirements.



51 views
bottom of page