Cybersecurity Maturity Model Certification (CMMC) 2.0
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework most Department of Defense (DoD) contractors will need to implement in the coming years. It’s overseen by the Office of the Under Secretary of Defense for Acquisitions and Sustainment.
CMMC is comprehensive– comprising controls from many regulatory texts. Most of these correspond to protections for the DoD and its stakeholders established in the Defense Federal Acquisition Regulation Supplement (DFARS). Primary source texts for CMMC have included:
- FIPS PUB 199
- NIST SP 800-53
- NIST SP 800-171
- NIST SP 800-172
The CMMC was in the early stages of its planned rollout when, in November 2021, the DoD announced major changes to the framework and the implementation of the CMMC program.
Adjustments will be needed for all Defense Industrial Base (DIB) organizations who need to be certified, irrespective of how closely they had followed CMMC guidelines prior to CMMC 2.0. RSI Security has assisted countless DoD contractors’ compliance with DFARS, NIST, CMMC, and other regulations. Our CMMC advisory services will help you navigate the terrain ahead.
LEVELS AND REQUIREMENTS
CMMC Levels and Requirements for CMMC 2.0
One of the hallmarks of the CMMC is its tiered approach. Not all CMMC eligible organizations will need to implement the entire framework. For some, a lower Level will suffice. (The requirements and how to verify implementation with assessment will be detailed below.)
Previous versions of the CMMC separated implementation across five Levels. In CMMC 2.0, there will be three.
Here is how they compare to the Levels in the most recent prior version, CMMC v1.02:
Maturity Level 1 – “Basic”
Maturity Level 2 – “Intermediate”
Maturity Level 3 – “Good”
Maturity Level 4 – “Proactive”
Maturity Level 5 – “Advanced”
(CUI and APTs)
CMMC Level 1 – “Foundational”
Parallel to v1.02 Level 1
CMMC Level 2 – “Advanced”
Parallel to v1.02 Level 3
CMMC Level 5 – “Expert”
Parallel to v1.02 Level 5
CMMC Security Requirements for 2.0
CMMC certification Levels and requirements for DoD contractors were clearly established in earlier versions of the CMMC. Which Level an organization needed to reach depending on the kind of information it primarily dealt with and the risk environment surrounding that information.
- CMMC Level 1 was primarily for FCI
- CMMC Level 3 focused on protecting CUI
- CMMC Level 5 targeted APTs to both CUI and FCI
NOTE: These may no longer hold true for CMMC 2.0.
The Levels also had clear Practice thresholds in prior editions, ranging from progressively better “Cyber Hygiene” at CMMC Levels 1–3 and then “proactivity” and “advanced” at CMMC Level 4 and CMMC Level 5, respectively. These drew upon the 171 total CMMC Practices in v1.02, housed in 17 Security Domains and corresponding to 43 Security Capabilities.
It is unknown if, or to what extent, these core elements will be preserved in CMMC 2.0. What is known at present is that the DoD intends to remove all CMMC-unique Practices for CMMC 2.0.
Information about the specific Requirements for Levels 1, 2, and 3 include the following:
- CMMC 2.0 Level 1 – 17 practices
- CMMC 2.0 Level 2 – 110 Practices, mirroring NIST SP 800-171
- CMMC 2.0 Level 3 – 110+ Practices, based on NIST SP 800-172
NOTE: Both SP 800-171 and SP 800-172 comprise 14 Requirement Families, which CMMC v1.02’s Domains were based on. SP 800-171 has 110 Requirements, and 800-172 has 35.
CMMC Certification Requirements for 2.0
Little information is available on CMMC certification assessments for CMMC 2.0. There are projections of self-assessment at Level 1 (annual), third-party assessment at Level 2 (tri-annual), and then governmental assessment at Level 3 (tri-annual). The DoD intends to extend accommodations to some organizations in the form of Plan of Actions and Milestones (POA&Ms) and Waivers. Both of these are departures from the third-party verification required at all Levels for CMMC v1.02, and little is known about how many entities will be able to take advantage of them.
RSI Security’s CMMC blog archive will continue to be updated whenever more information is available about CMMC certification DoD requirements. The most pertinent information is available here:
LET US HELP
How RSI Security Helps You Prepare for CMMC 2.0 Compliance
RSI Security is well positioned to assist your organization in future CMMC assessment and certification procedures. We’re equipped to conduct readiness assessments to determine what implementation will likely entail, along with how to prove eligibility for waivers.
The CMMC Accreditation Body (CMMC-AB) was responsible for CMMC auditor certification for prior versions of CMMC. The CMMC-AB has recognized RSI Security as a Registered Provider Organization (RPO), and our staff includes several Registered Practitioners (RP). RSI Security was also in the final stages of becoming a Certified Third Party Assessor Organization (C3PAO), the only CMMC assessors able to verify CMMC implementation prior to the CMMC 2.0 announcement.
RSI Security has been serving NIST clients for over a decade and has the expertise to navigate any changes and updates to the framework as they develop. Reach out to us to schedule a quick call on what CMMC 2.0 means for your business.