Partnering with the US Department of Defense (DoD) as a contractor offers lucrative prospects for your company, but it comes with the responsibility of adhering to multiple cybersecurity frameworks. The latest framework on the DoD scene is CMMC 2.0.
CMMC 2.0 requirements began appearing in DoD contracts in May 2023 and are expected to be incorporated into all contracts by October 2025, according to the latest update from the department.
Achieving compliance with CMMC 2.0 can be particularly daunting for organizations new to the Defense Industrial Base (DIB). To help you begin your compliance journey, this article provides a CMMC 2.0 assessment guide to help you gauge your compliance with CMMC 2.0.
What is the Purpose of the CMMC 2.0 Certification Process?
The Department of Defense (DoD) created the CMMC 2.0 certification process to ensure that contractors have the safeguards in place to protect confidential data such as Federal Contract Information and Controlled Unclassified Information (CUI).
Organizations that wish to do business with the US Department of Defense must comply with CMMC. Depending on the sensitivity and classification of the information the contractor handles, either third-party verification or self-assessments are required to ensure that all contracted companies, as well as other companies down the supply chain, are safeguarding FCI and CUI with due diligence.
CMMC Final Program Rule: What Contractors Need to Know
The Department of Defense (DoD) is raising the bar on cybersecurity compliance with its recent release of the Cybersecurity Maturity Model Certification (CMMC) Final Program Rule. Released on October 11, 2024, this rule formalizes the framework that contractors and subcontractors must follow to securely handle Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). This marks a pivotal step for the DoD in strengthening the defense industrial base against cyber threats.
To help clarify the complex changes and timelines, here’s a breakdown of the key takeaways from the Final Program Rule, along with a phased implementation schedule:
Timeline of Key Events and Requirements
Infographic
Updates and Considerations
- Cloud Service Providers (CSPs) and External Service Providers (ESPs): The new rule clarifies obligations for CSPs handling CUI, requiring them to meet FedRAMP Moderate or equivalent standards. For ESPs, certification burdens have been reduced, making compliance easier for contractors utilizing these services.
- DIBCAC’s Expanded Authority: The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) now has the authority to audit contractors’ CMMC compliance. This includes overriding previously issued certifications, significantly impacting those relying on their C3PAO status.
Key Actions for Contractors
To navigate this new landscape effectively, contractors should consider the following actions:
- Audit Your Contracts: Determine whether you handle CUI or FCI, which will dictate your required CMMC Level.
- Engage Assessors Early: C3PAOs may be in high demand, so early engagement can help avoid scheduling conflicts as the rollout progresses.
- Solidify Your Internal Systems: Beyond technical defenses, robust policies, incident response plans, and cross-functional collaboration will be essential to meet the stringent CMMC requirements.
Assess Your Readiness: Conduct internal assessments to identify potential gaps in compliance.
What is the Need For Assessments Under the CMMC 2.0?
By conducting regular cybersecurity assessments of its contractors, the Department of Defense can be confident that sensitive information shared with the defense industrial base (DIB) is properly protected.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework emphasizes streamlining and reinforcing accountability in the cybersecurity assessment process. Notably, it aims to simplify the evaluation process while ensuring that adequate cybersecurity measures are in place to safeguard critical data.
Three CMMC 2.0 Levels
With the implementation of CMMC 2.0, a three-tiered approach was implemented based on the sensitivity of the information entrusted to contractors.
- Level 1: “Foundational” –The DoD contractor will need to implement 17 controls of NIST 800-171 and pass an annual NIST CMMC self-assessment.
- Level 2: “Advanced”– To pass an audit for this level, the DoD contractor must implement the full NIST 800-171 (110 controls).
- Level 3: “Expert” – To pass an audit for this level, the DoD contractor will need to implement 110 controls of NIST 800-171 plus other controls based on NIST 800-172 (still under DoD development).
Tiered Assessments in the CMMC 2.0
The CMMC assessment methodology uses a triple-tiered approach to tailor the assessment requirements according to the level of information sensitivity. Below we briefly outline the assessment requirements mandated at each level.
- Contractors that handle non-critical federal contract information (FCI), which includes Level 1 and a subset of Level 2 will need to conduct annual self-assessments. These self-assessments must align with well-defined cybersecurity standards established by the program.
- Contractors responsible for managing information deemed critical to national security (CUI) will undergo third-party assessments at CMMC Level 2. These assessments will be conducted by independent organizations to verify compliance with the relevant cybersecurity requirements.
- The most vital defense programs, prioritized as Level 3, will undergo assessments led by the government itself. These assessments will be conducted directly by government entities to ensure the highest level of security measures are in place.
Self-Assessments for Level 1 Contractors
When framing the new version of the CMMC, the Department of Defense viewed Level 1 contractors as an opportunity to encourage and support them in developing and strengthening their cyber posture. As Level 1 contractors do not handle or process information deemed critical to national security, the decision was made that self-assessments would suffice to meet CMMC 2.0 requirements at this level.
Likewise, a subset of businesses with Level 2 requirements do not have information critical to national security, and therefore-associated contractors will be permitted to meet the requirement through self-assessments, as well.
Contractors in Level 1 and the aforementioned subset of Level 2 will be required to conduct self-assessment on an annual basis, accompanied by an annual affirmation from a third-party certified company that the contracted business is complying with the department’s requirements.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Strategy For CMMC 2.0 Self Assessment
To guide Level 1 contractors on the requirements of CMMC 2.0 self certification, we’ve outlined five important steps to follow:
Step 1: Determine Your CMMC Level
The first step in the self-assessment process is to determine the appropriate CMMC level for your organization. This involves reviewing the CMMC framework and assessing the nature of your organization’s work. Consider the sensitivity of the information you handle and the requirements of your contracts. There are three levels of CMMC 2.0, as we mentioned earlier.
Step 2: Scope your Sensitive Information
Not every part of your organization needs to get certified with the Dod, nor should it. When seeking certification from the Department of Defense (DoD), it is important to understand that only the parts of your organization that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are considered “in-scope.” To streamline the CMMC self-certification process, it is recommended to dedicate time to track the flow of FCI and CUI within your organization.
Step 3: Conduct a self-assessment
If you have already conducted a NIST 800-171 Basic Assessment as required, then you have already taken a significant step towards performing a comprehensive gap analysis. That means you already have a pretty good idea of your security gaps and what you need to do to mitigate your risks.
Remember that an evidence-driven approach guaranteesthat your self-assessment is based on tangible evidence rather than subjective opinions or assumptions. It involves gathering concrete documentation and data that demonstrate your organization’s adherence to the required cybersecurity controls. An evidence-based CMMC self-assessment tool adds credibility to your self-assessment results and provides a solid foundation for decision-making and remediation efforts.
Step 4: Create a System Security Plan (SSP)
The next step in the process is to consolidate all the relevant information into a System Security Plan (SSP). The SSP serves as a comprehensive collection of documents that provide an overview of your organization’s environment and how security practices are implemented. It is a dynamic document that will evolve as you improve your security posture, outlining policies, procedures, controls, and technical specifications. While the DoD does not require submission of the SSP for CMMC Level 1 certification, it is still a mandatory component to have. The SSP should reflect your current security measures, protect sensitive information, and align with the required cybersecurity controls.
Step 5: Get Certified
If you’ve reached this point, you’ve done the heaviest lifting already. The final action item is getting certified. DIB companies will be required to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS).
How Can Centraleyes Help with CMMC 2.0 Assessments?
The Centraleyes platform eases the process towards meeting CMMC compliance by using its integrated and newly updated CMMC version 2.0 questionnaire with an easy follow-up system to help track and close vulnerable areas.
The platform also allows users to start an assessment around the NIST 800-171 framework, while walking you through all the requirements that need to be met for this prerequisite.
Centraleyes enables organizations to exchange data across various systems throughout their networks, saving time and money and allowing for more accurate and reliable data.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days