CMMC 2.0 Compliance Consultant & Services
What is CMMC Compliance?
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework most Department of Defense (DoD) contractors will need to implement in the coming years. It’s overseen by the Office of the Under Secretary of Defense for Acquisitions and Sustainment.
CMMC is comprehensive– comprising controls from many regulatory texts. Most of these correspond to protections for the DoD and its stakeholders established in the Defense Federal Acquisition Regulation Supplement (DFARS). Primary source texts for CMMC have included:
- FIPS PUB 199
- NIST SP 800-53
- NIST SP 800-171
- NIST SP 800-172
The CMMC was in the early stages of its planned rollout when, in November 2021, the DoD announced major changes to the framework and the implementation of the CMMC program.
Adjustments will be needed for all Defense Industrial Base (DIB) organizations who need to be certified, irrespective of how closely they had followed CMMC guidelines prior to CMMC 2.0. RSI Security has assisted countless DoD contractors’ compliance with DFARS, NIST, CMMC, and other regulations. Our CMMC advisory services will help you navigate the terrain ahead.
LEVELS AND REQUIREMENTS
CMMC Levels for 2.0
One of the hallmarks of the CMMC is its tiered approach. Not all CMMC eligible organizations will need to implement the entire framework. For some, a lower Level will suffice. (The requirements and how to verify implementation with assessment will be detailed below.)
Previous versions of the CMMC separated implementation across five Levels. In CMMC 2.0, there will be three.
Here is how they compare to the Levels in the most recent prior version, CMMC v1.02:
Maturity Level 1 – “Basic”
Maturity Level 2 – “Intermediate”
Maturity Level 3 – “Good”
Maturity Level 4 – “Proactive”
Maturity Level 5 – “Advanced”
(CUI and APTs)
CMMC Level 1 – “Foundational”
Parallel to v1.02 Level 1
CMMC Level 2 – “Advanced”
Parallel to v1.02 Level 3
CMMC Level 5 – “Expert”
Parallel to v1.02 Level 5
CMMC Security Requirements for 2.0
CMMC certification Levels and requirements for DoD contractors were clearly established in earlier versions of the CMMC. Which Level an organization needed to reach depending on the kind of information it primarily dealt with and the risk environment surrounding that information.
- CMMC Level 1 was primarily for FCI
- CMMC Level 3 focused on protecting CUI
- CMMC Level 5 targeted APTs to both CUI and FCI
NOTE: These may no longer hold true for CMMC 2.0.
The Levels also had clear Practice thresholds in prior editions, ranging from progressively better “Cyber Hygiene” at CMMC Levels 1–3 and then “proactivity” and “advanced” at CMMC Level 4 and CMMC Level 5, respectively. These drew upon the 171 total CMMC Practices in v1.02, housed in 17 Security Domains and corresponding to 43 Security Capabilities.
It is unknown if, or to what extent, these core elements will be preserved in CMMC 2.0. What is known at present is that the DoD intends to remove all CMMC-unique Practices for CMMC 2.0.
Information about the specific Requirements for Levels 1, 2, and 3 include the following:
- CMMC 2.0 Level 1 – 17 practices
- CMMC 2.0 Level 2 – 110 Practices, mirroring NIST SP 800-171
- CMMC 2.0 Level 3 – 110+ Practices, based on NIST SP 800-172
NOTE: Both SP 800-171 and SP 800-172 comprise 14 Requirement Families, which CMMC v1.02’s Domains were based on. SP 800-171 has 110 Requirements, and 800-172 has 35.
CMMC Certification Requirements for 2.0
Little information is available on CMMC certification assessments for CMMC 2.0. There are projections of self-assessment at Level 1 (annual), third-party assessment at Level 2 (tri-annual), and then governmental assessment at Level 3 (tri-annual). The DoD intends to extend accommodations to some organizations in the form of Plan of Actions and Milestones (POA&Ms) and Waivers. Both of these are departures from the third-party verification required at all Levels for CMMC v1.02, and little is known about how many entities will be able to take advantage of them.
RSI Security’s CMMC blog archive will continue to be updated whenever more information is available about CMMC certification DoD requirements. The most pertinent information is available here:
CMMC 2.0 Certification FAQs
Achieving Cybersecurity Maturity Model Certification (CMMC) means that an eligible company has implemented CMMC controls (i.e., NIST controls) up to the requisite maturity for their Level and confirmed their security program’s functionality through a self, third-party, or governmental audit.
Organizations subject to the CMMC can achieve and maintain certification by scoping out the requirements for their Level, implementing all required systems and controls, and performing a self, third-party, or governmental audit at the appropriate intervals (annual or triennial).
CMMC certification is required for DoD contractors who create, collect, store, transmit, process, or otherwise come into contact with sensitive data in the form of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC 2.0 will likely take effect in mid to late 2022, but it could come into effect in late 2023. The DoD will begin requiring CMMC 2.0 in contracts after the rulemaking period is completed; the rulemaking period began in late 2021 and is estimated to take between nine and 24 months.
The CMMC Level an organization needs to reach will be established on the specific contract it targets. In general, contracts that involve FCI will require Level 1, while contracts that involve CUI will require Level 2 or Level 3, depending on the amount, variety, and sensitivity of data.
CMMC 2.0 is an important update on prior versions because it streamlines controls, making them more accessible. And CMMC certification—in general—is important because it assures DoD contractors have cybersecurity controls in place to protect sensitive information critical to the safety of the DoD—and, by extension, all Americans domestic and abroad.
No. ISO 27001 is a robust cybersecurity framework, but it is generalized for use across many industries. CMMC and the NIST frameworks it is based upon require specific controls tailored to the particular kinds of data DoD and government-adjacent organizations most need to protect.
The DoD projects that costs for CMMC 2.0 will be significantly lower than they were for previous versions. CMMC 2.0 certification costs will depend upon the kind of assessment needed. From self audits to third-party or governmental audits, costs will scale upward with each Level.
Again, the DoD projects that costs for CMMC 2.0 will be significantly lower than they were for previous versions. CMMC 2.0 implementation costs will depend primarily on the amount, variety, and complexity of controls implemented—thus, costs will scale upward with each Level.
Third-party CMMC assessments are conducted by Certified Third Party Assessor Organizations (C3PAOs) or Certified CMMC Assessors. These service providers are vetted and listed by the Cyber AB—formerly, the CMMC Accreditation Body (CMMC-AB).
LET US HELP
How RSI Security Helps You Prepare for CMMC 2.0 Compliance
RSI Security is well positioned to assist your organization in future CMMC assessment and certification procedures. We’re equipped to conduct readiness assessments to determine what implementation will likely entail, along with how to prove eligibility for waivers.
The CMMC Accreditation Body (CMMC-AB) was responsible for CMMC auditor certification for prior versions of CMMC. The CMMC-AB has recognized RSI Security as a Registered Provider Organization (RPO), and our staff includes several Registered Practitioners (RP). RSI Security was also in the final stages of becoming a Certified Third Party Assessor Organization (C3PAO), the only CMMC assessors able to verify CMMC implementation prior to the CMMC 2.0 announcement.
RSI Security has been serving NIST clients for over a decade and has the expertise to navigate any changes and updates to the framework as they develop. Reach out to us to schedule a quick call on what CMMC 2.0 means for your business.