The Department of Defense has recently released plans for CMMC 2.0, the revised standards for compliance and security in the DoD supply chain. Many contractors working with DoD agencies were already gearing up for CMMC 1.0, and now are left wondering what is next for them and their business.
The important thing to remember is that CMMC 1.0 hasn’t gone away, and as such it’s possible to continue on your current compliance path, based on any RFP requirements and streamline your path to CMMC 2.0 compliance.
What is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a contract award requirement.
What Is Changing in CMMC 2.0 Certification?
With the introduction of CMC 2.0, contractors are going to see a shift in compliance requirements. Here are some of the broad changes introduced by the DoD:
- Three Maturity Levels: The original CMMC certification included 5 maturity levels, with Level 1 certification required for handling Federal Contract Information (FCI), Level 3 certification required for handling Controlled Unclassified Information (CUI) and Level 5 required for highest-level data concerns where the challenge of Advanced Persistent Threats (APTs) are most relevant.Under CMMC 2.0, these levels have been cut to three. Level 1 is still the minimum for FCI. Level 2 under CMMC 2.0 essentially combines the original Levels 2 and 3 from CMMC 1.0 and serves as the baseline for handling CUI. Level 3 under CMMC 2.0 combines aspects of the original Levels 4 and 5 but more accurately represents a flexible expansion of advanced controls beyond minimum requirements for CUI.This new breakdown supports more streamlined compliance requirements, and centralized control in reference to a primary document–NIST SP 800-171.
- Third-Party Audits Optional in Specific Cases: In the original CMMC system, an audit from a Certified Third-Party Assessment Organization (C3PAO) was required at every level and for every certification. Under CMMC 2.0, third-party audits are only required for Levels 2 and 3. Organizations pursuing Level 1 certification can undergo annual self-assessment in line with CMMC Accreditation Body (CMMC-AB) guidelines, and select organizations pursuing Level 2 certification can also opt for self-assessment under very specific circumstances.
- Allowed Use of Plan of Action and Milestones (POA&M): In the original CMMC framework, organizations were expected to meet requirements at the time of audit. This is somewhat different from other regulations like FedRAMP that provide mechanisms for audited organizations to provide POA&Ms for controls that didn’t quite meet requirements, detailing remediation timelines without requiring an entirely new audit. Under CMMC 2.0, POA&Ms will be accepted in certain limited circumstances.
Speed up your CMMC Certification Process
The best way to streamline your CMMC certification now is to prepare for CMMC 1.0.
CMMC 2.0, while a simpler and, ideally, faster certification process, it isn’t actually implemented yet. The rule making process for CMMC 2.0 is currently underway and isn’t expected to wrap up for at least 9-24 months. In the meantime, the CMMC-AB and DoD are still honoring current and ongoing CMMC 1.0 certifications, and are planning a migration path to grandfather anyone who achieves CMMC 1.0 certification prior to CMMC 2.0 finalization.
In the meantime, it’s important to take a few basic steps:
- Get Familiar with NIST SP 800-171: NIST 800-171 is the core document for CMMC, and becomes even more important for CMMC 2.0. Read it, have your IT team review it, and have a clear understanding of at least the basics of the requirements contained therein.
- Coordinate with Existing Compliance Standards: If you are a provider with existing compliance requirements, understand how those may overlap. Companies following FedRAMP, NIST-53, NIST 800-171 or the ISO 27000 series compliance standards are well on their way towards CMMC compliance. They aren’t 1-to-1 in any sense, but many requirements dovetail into one another.
- Work With an Expert Security Partner: Government and Defense compliance are complicated and time-consuming, and it can become a hassle just managing documentation and reports. A skilled security partner with experience in these areas can ensure not only that you are compliant, but that you are also performing audits and due diligence effectively.
Don’t Hesitate on CMMC 2.0
Our proven CMMC assessment approach and technology dramatically improves the completion process. We average a massive 46% reduction in the traditional assessment time due to our critical path methodology, proactive philosophy, and usage of the Continuum GRC IT Audit Manager platform. You have 24/7 access, allowing everyone to get-in-and-get-out quickly.
CMMC 2.0 is on its way, and it is time for defense contractors to prepare for it. Our automate auditing systems, expert compliance specialists and cloud-based assessment tools make audits simple, clean and fast.
Ready to Get Started with CMMC?
Call Continuum GRC at 1-888-896-6207 or complete the form below.