What is the Cybersecurity Maturity Model Certification (CMMC) Program?
As the number of new data privacy regulations and compliance programs coming into effect in the US continues to increase, one of the latest to emerge is the Cybersecurity Maturity Model Certification (CMMC) program. Unlike most of the current state-specific US data privacy regulations, the CMMC is a government regulation imposed by the Office of the Under Secretary of Defense. Under CMMC, any organization that is part of the Department of Defense’s (DoD) supply chain (or plans to be in the future), or is a contractor or subcontractor, will be required to abide by a certain set of cybersecurity requirements based on the level of data they possess. Let’s explore what the CMMC program is, who it affects, the updates to its versions and levels, and what affected organizations, contractors, and subcontractors can do to make sure they are compliant.
When Does CMMC Compliance Apply?
The comprehensive framework of CMMC was launched by the DoD to protect the Defense Industrial Base (DIB) from increasingly frequent and complex cyberattacks. It requires organizations, contractors, and subcontractors of the DIB to adhere to enhanced cyber protection standards in order to protect sensitive unclassified information, including Controlled Unclassified Information (CUI) and Federal Contact Information (FCI), which is information that requires protection, but is not critical to national security, in addition to all types of Federal data within non-Federal systems. According to the Office of the Under Secretary of Defense, there are three key features of the CMMC framework:
Implementation through Contracts
CMMC 1.0 vs. CMMC 2.0
When the interim CMMC v1.0 became effective November 30th, 2020, it required third-party assessments for CMMC compliance from all companies working for the DoD. Small and medium-sized businesses (SMBs) quickly pushed back, stating that the costs of compliance and certification would force them out of the DIB. According to the Office of the Under Secretary of Defense, there were over 850 public comments in response to the interim CMMC 1.0 echoing these concerns. These comments and concerns led to an internal review by the Department that was conducted in March 2021, engaging cybersecurity and acquisition leaders within the DoD to refine the program. In November 2021, CMMC 2.0 was announced with a revised structure and improved requirements to achieve the goals discussed in the internal review
The modifications made from CMMC 1.0 to CMMC 2.0 include the following:
- Removing transitional levels 2 and 4, trimming CMMC levels down from five to three, and renaming the remaining three as follows: Level 1 (Foundational), Level 2 (Advanced), Level 3 (Expert).
- Dropping 20 security requirements for the new Level 2 (formerly Level 3) from 130 to 110 to be in complete alignment with and eliminate all practices and maturity processes that were unique to CMMC.
- Allowing all organizations at Level 1 (Foundational) and certain organizations at Level 2 (Advanced) that have non-prioritized acquisitions to demonstrate compliance through an annual self-assessment, thus reducing assessment costs.
- Under certain circumstances, allowing organizations to make Plans of Action & Milestones (POA&Ms) in order to achieve their certification. A POA&M is a plan that a DIB organization takes in order to correct deficiencies found in their security assessment. The POA&M should identify what needs to be corrected, how these corrections will be made, and what resources are required to do so.
- Waivers for CMMC requirements will be allowed under certain limited circumstances.
The 3 Levels of CMMC 2.0
As discussed, CMMC 2.0 cuts the number of levels from five to three by removing levels 2 and 4, which were developed to be transition levels. The three remaining levels are based on what type of information these DIB organizations possess and handle:
Level 1 (Foundational)
This level is for organizations that only have FCI, and is comparable to the old Level 1 in CMMC 1.0. Level 1 is based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, which focuses on protecting FCI. Companies and organizations within this level must conduct an annual self-assessment to prove they are compliant in order get their certification.
Level 2 (Advanced)
This level is for organizations that work with CUI, and is comparable to the old Level 3 in CMMC 1.0. Level 2 requirements are in complete alignment with NIST SP 800-171 requirements. When it comes to certification, organizations within this level are split into two groups:
- CUI with prioritized acquisitions: Organizations that have CUI with prioritized acquisitions, which is information deemed critical to national security, will be required to undergo third-party assessments for certification every 3 years.
- CUI with non-prioritized acquisitions: CUI without prioritized acquisitions, which is information that is not critical to national security, can perform an annual self-assessment for their certification as Level 1 organizations do.
Level 3 (Expert)
This level is for organizations that work with high priority CUI, and is comparable to the old Level 5 in CMMC 1.0. This level will use NIST SP 800-171 requirements and a subset of NIST SP 800-172 requirements. Level 3 organizations will always be subject to a government-led assessment for certification every 3 years.
Who, When, and How to Comply with CMMC
Who needs to get certified?
CMMC compliance is required of any individual in the DoD supply chain, including contractors and subcontractors. The DoD has stated that CMMC program requirements will affect over 300,000 organizations. However, as stated earlier, not all organizations, contractors, and subcontractors will require the same level of certification, which is dependent on the type of data being handled.
CMMC implementation timeline
CMMC Director Stacy Bostjanik announced that the CMMC 2.0 interim rule will likely come into effect in May 2023, and will go into contracts 60 days later, in July 2023. Updated contracts will be phased in between 2023 – 2026, and while organizations can make their best guess on what level they will fall into, anyone who handles CUI should plan to be compliant with at least Level 2 for July 2023.
How to comply with CMMC
If your organization handles CUI, you should already be complying with CMMC Level 2 (Advanced), which mirrors the NIST SP 800-171 standards, and has been in place since 2017. Organizations that are not yet compliant should consider implementing a pre-configured data classification solution designed specifically for handling CUI , which streamlines the process and makes it easy for organizations to implement the CUI framework required by CMMC and NIST SP 800-171 standards, accurately and consistently. Even if your organization only handles FCI and needs to comply with Level 1 (Foundational), data still needs to be kept secure and meet Basic Safeguarding of Covered Contractor Information. A data classification solution organizes data into categories giving you more control over your data, while making data easier to locate and retrieve, all of which is essential when it comes to risk management, compliance, and data security. With the interim CMMC likely coming into effect in May 2023, and in contracts by July of 2023, organizations, contractors, and subcontractors have less than a year to make sure they are compliant with CMMC standards, so getting started now is key. Having a solution to keep CUI, FCI, and other Federal data secure is going to be a necessary, rather than a nice to have, in order for organizations, contractors, and subcontractors to remain competitive for DIB contracts. Find out more about our easy-to-deploy, pre-configured data protection solution, Fortra’s Config for CUI, by watching the on-demand demo now.
Learn More about Fortra's Data Classification
Find out how Fortra's flexible data classification can help drive compliance with a variety of regulations and requirements.