The Cybersecurity Maturity Model Certification (CMMC) was built to safeguard sensitive unclassified information across the Defense Industrial Base (DIB) by addressing the gaps in prior regulatory requirements.

The new version (CMMC 2.0) focuses on the most advanced cybersecurity standards while minimizing barriers to compliance. Now is the time to start your company’s assessment. As we get closer to implementation it will be more difficult to get the assistance you need. 

CMMC Director Stacy Bostjanik announced that the CMMC 2.0 interim rule will likely come into effect in May 2023, and will go into contracts 60 days later, in July 2023. Updated contracts will be phased in between 2023 – 2026, and while organizations can make their best guess on what level they will fall into, anyone who handles CUI should plan to be compliant with at least Level 2 for July 2023.

CMMC 2.0 plans to:

• Focus on the most critical requirements
• Align with widely accepted standards like NIST 800-171 gap analysis
• Decrease assessment costs
• Increase oversight of third-party assessors
• Offer a flexible implementation timetable

This is managed with a combination of cybersecurity standards and best practices intended to:

• Protect sensitive data to enable and protect all parties
• Dynamically improve DIB cybersecurity to meet evolving threats
• Ensure accountability while minimizing barriers to compliance with DoD requirements
• Contribute to instilling a cooperative culture of cybersecurity and cyber stability
• Maintain public trust through high professional and ethical standards

Maturity Level Guidelines

CMMC 2.0 further streamlines the maturity model by reducing it from five to three levels of compliance. The framework requires a systematic approach to certification mapped to three organizational maturity levels: 

Foundational | Advanced | Expert.

Image Source: Acquisition & Sustainment – Office of the Under Secretary of Defense

Level 1 – Foundational
Allows organizations to conduct self-assessments against FAR 52.204-21.

Level 2 – Advanced
Includes 110 practices (reduced from 130) from NIST SP 800-171 and allows for self-assessment for
Controlled Unclassified Information (CUI) but requires Certified Third Party Assessment Organization
(C3PAO) to conduct assessments when working with sensitive controlled information.

Level 3 – Expert 
Requires CMMC 2.0 L2 C3PAO certification, adds NIST SP 800-172, and requires an assessment from the DoD when working with the most sensitive controlled information.

How Does it Impact Your Company as a Government Contractor?
Government contractors will initially see DoD requirements to satisfy Maturity Levels 1 and 2 for anyone
handling FCI or CUI. Most contractors will need to certify first at Maturity Level 1 and then at Maturity Level 2. Maturity Level 3 will be required for organizations working with the most sensitive CUI or confidential data; however, it will be required to first certify at Maturity Level 1 and Maturity Level 2 before Maturity Level 3.

Maturity Level requirements will be outlined in contracts and flow down only to subs working with the controlled information. Therefore, knowing what type of data you are storing is essential. Once an organization is CMMC certified, the certification is expected to be valid for three years.

Government contractors should ensure they cover the following steps to prepare their organizations.

Step 1 – Identify and classify the type of data you store to support existing or new contract awards.

Step 2 – Understand the Maturity Level your firm will likely need to satisfy based on the type of data you store and identify the gaps that could prevent achieving certification.

Step 3 – If you are unsure and work with CUI, start with Maturity Level 2, based on the 110 controls from NIST 800-171.

Step 4 – Make sure you have the documentation of formalized processes and controls.

Step 5 – Be familiar with all the essential definitions and compliance standards that make up CMMC 2.0.

You can take an additional step to ensure CMMC 2.0 compliance by closely examining networks and procedures within your business. Conducting a third-party readiness assessment will determine whether your organization is prepared to meet the appropriate Maturity Level regarding system setups and processes or whether it is inadequate or does not entirely meet the defined requirements.

Those seeking CMMC 2.0 compliance must prove their ability to report on how they will detect, alert and respond to system and data threats.

You can learn more about CMMC 2.0 at the Office of the Under Secretary of Defense

What steps will you take next to set priorities for your business?

Tags: #compliance #certifications #cmmc #cybersecurity