What is CMMC 2.0 and How Does it Impact Your Organization?

Someone once asked bank robber Willie Sutton why he robbed banks. Sutton replied, “Because that's where the money is.” 

For would-be cybersecurity attackers, surely there’s no more attractive “bank” than government data. Thus, the U.S. Department of Defense (DoD) must do everything possible to protect that sensitive data from nefarious actors who would try to breach its defenses. You can imagine the volume and delicacy of that data! 

Even if the DoD did everything right internally, it’s at risk if any partner or supplier has inadequate cybersecurity defenses—and there are many partners. As a result, several years ago, the DoD established programs to keep such systems safe, both within government agencies and with any organizations with which it partners. 

If your company is among those partners – either as a direct contractor or subcontractor – listen up. One critical framework, the Cybersecurity Maturity Model Certification (CMMC), is being updated, and its changes will likely affect your organization’s workflow. Those effects will be felt particularly by small- and medium-sized businesses (SMBs) involved in government contracting.

The idea behind the framework is to protect any data for which the government is responsible, and to ensure compliance with cybersecurity best practices. Like a lot of governmental writing, the CMMC is detailed, meticulous, and ponderous. The contents can be daunting to understand, and feel impossible to comply with. However, adhering to those rules is necessary for any business that wants to provide services to the federal government (either directly or as a contractor to such a company). 

A word of warning: There are a lot of three-letter acronyms – TLAs – to endure. If you work with the government or plan to, you probably need to get used to this.

Here’s the essentials of what you need to know. 

What is the Cybersecurity Maturity Model Certification program?

The CMMC focuses on cybersecurity threats within the Defense Industrial Base (DIB). It is directed at contractors handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), ensuring those organizations meet the DoD’s cybersecurity standards. 

Contractors and subcontractors follow the CMMC program to verify their ability to protect sensitive, unclassified information, whether that data is shared between the Department and its contractors and subcontractors or generated by the contractors and subcontractors. The CMMC acts as a mechanism to show that security requirements were implemented at each CMMC level (we’ll get to levels in a moment) and to maintain that status during the contract period.

To protect CUI, the Defense Federal Acquisition Regulation Supplement (DFARS) added a new requirement in 2017 for contractors and subcontractors that store, process, or handle CUI. Those partners had to comply with the 110 security controls outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), which has been updated several times since then.

Defining CUI is a deeper issue, but your business should expect it to be detailed in the contract materials. Worth noting: CUI used to be called For Official Use Only Information (FOUO), though that term is no longer used.

To address the weaknesses in that NIST system – for one thing, a plan’s timeline wasn’t required—the DoD created CMMC 1.0 in early 2020. This framework uses the processes and security implementation found among several standards including NIST, Federal Acquisition Regulation (FAR), and DFARS. 

CMMC 1.0 had five levels of maturity progression, which aimed to determine an organization's cybersecurity maturity. They correlated to the following goals:

• Level 1: Safeguard Federal Contract Information (FCI)
• Level 2: A transition step in cybersecurity maturity progression to protect CUI
• Level 3: Protect Controlled Unclassified Information (CUI)
• Level 4: Protect CUI
• Level 5: Reduce risk of Advanced Persistent Threats (APTs)

CMMC 1.0 addressed 17 high-level cybersecurity compliance categories (called domains) containing 43 capabilities (achievements to ensure cybersecurity objectives are met within each domain). The capabilities comprise 171 practices across the five maturity levels.

CMMC 1.0 was a good first effort. But….

17 domains? 171 practices? Documentation for all of those?! Even if a would-be contractor or subcontractor was doing all the right things security-wise, filling in the forms was a tremendous amount of work – particularly for the SMBs that comprise most of the DIB. Given that meeting CMMC 1.0 was a requirement, those companies could no longer perform DoD work without the certification. Not to put too fine a point on it, but that was a problem. 

The DoD tweaked CMMC twice (versions 1.1 and 1.2) but eventually concluded that the framework needed to be reworked to simplify it without losing sight of its cybersecurity goal.

And now we have the 2.0 version!

In December 2023, the DoD announced the CMMC 2.0 Proposed Rule, 32 CFR 170. By government standards, it’s been a lightning course ever since. In June 2024, the Proposed Rule went to the Office of Information and Regulatory Affairs (OIRA) for final approval, including setting an “effective date.” While OIRA can take as long as 120 days for its evaluation process, 60 days or more is a typical turnaround.

The final rule was posted on Oct. 15 and will go into effect on Dec. 16. The DoD will soon make CMMC compliance mandatory in some DoD contracts (a condition of contract award). By 2028, expect CMMC compliance to be mandatory in all DoD contracts.

Your takeaway: By early next year, this will be a relevant part of government contracts.

What’s new in CMMC 2.0

The new DoD regulation pares down cybersecurity requirements to minimize obstacles for businesses, but aims to do so without compromising cybersecurity standards.

For one thing, CMMC 2.0 has a more streamlined approach. Instead of the five levels of cybersecurity maturity in CMMC 1.0, there are now three:

• Level 1, Foundation: Basic cybersecurity practices, 17 practices. Level 1 applies to organizations that process FCI data that is not critical to national security, where the organization does not create, store, or receive CUI. There’s an annual self-assessment, that once complete, satisfies CMMC Level 1 requirements.
• Level 2, Advanced: Documentation of practices is required. Advanced cybersecurity practices include 14 domains and 110 security controls in alignment with NIST SP 800-171 Rev. 2. Level 2 is meaningful for primary contractors and subcontractors that handle the same type of CUI; subcontractors may adhere to a lower level depending on the information they get from the primary contractor. The assessment may be self-administered for contractors working with CUI non-prioritized acquisitions with data not critical to national security. However, contractors working with prioritized acquisitions with data critical to national security require triennial third-party assessment.
• Level 3, Expert: This level includes advanced cybersecurity practices and requires extensive documentation, including resource plans for implementing and maintaining them. There are 14 domains and 110 security controls to address. This level requires triennial government-led assessments for contractors that work with CUI highest priority programs with data critical to national security.

Levels 2 and 3 certifications include 14 domains. The documentation regularly gives them two-letter abbreviations:

• Access Control (AC)
• Awareness & Training (AT)
• Audit and Accountability (AU)
• Configuration Management (CM)
• Identification and Authentication (IA)
• Incident Response (IR)
• Maintenance (MA) 
• Media Protection (MP)
• Personnel Security (PS)
• Physical Protection (PE) 
• Risk Assessment (RA)
• Security Assessment (CA) 
• System and Communications Protection (SC) 
• System and Information Integrity (SI) 

Which level applies to your organization? Expect the requirements to vary on a contractual basis depending on the data’s criticality and sensitivity. However, all contractors that process FCI must obtain a minimum Level 1 CMMC certification.

Is CMMC relevant to your company? Don’t dawdle

Despite efforts to simplify the CMMC program, it’s still complicated and time-consuming, especially for organizations new to the world of government contracting. 

As you start on the path toward compliance, if the matter is relevant enough to your business for you to have reached this point in this article (for which we are grateful, thanks!), now is the right time to get your ducks in a row, or at least to acquire a brace of ducks for later organization. 

What can you do now?

• Define your FCI and CUI scope: Assess the flow of FCI and CUI in the projects you work on (and intend to work on) and confirm the scope for CMMC compliance. 
• Conduct a self-assessment: Level 1 CMMC certification depends on self-assessments. Do it now to identify gaps and address them before it’s time to bid on a contract. External expertise may help in this regard, particularly when delivered by experienced vendors (like Secure Ideas [link to appropriate landing page]) that can evaluate the organization’s security posture that the DoD might query. 

• Generate your System Security Plan (SSP): Whatever level of CMMC you apply for, the DoD requires organizations to have documentation demonstrating how cybersecurity practices are implemented. These documents are worthwhile for internal reasons because it’s good to know “How does data flow in and out of the current environment?” and “What control do you have over the systems holding contract information/sensitive data?” An SSP becomes the certification blueprint. Generate a SSP so that it’s easy to update.
• Get certified. If you completed everything above, you’ve already done the hard part – or at least identified the information to gather and document.

Even if everything isn’t copacetic when you bid on a contract, the DoD may let you use a temporary plan – but it’s best that you don’t need one.

Depending on the certification level, you may need to work with a Certified Third-Party Assessor Organization (C3PAO). These independent organizations assess companies to ensure they meet the DoD standards. CMMC Level 3 certification requires a government-led assessment in which an auditor evaluates your SSP, examines your security posture, and meets with your team before approving the company. These approvals are good for three years, after which the compliance dance begins again.

Are you ready to get started? Secure Ideas would love to help you assess your current cybersecurity posture and offer advice about your CMMC readiness. Contact us to get the conversation started!