Demystifying CMMC 2.0 Framework
What is CMMC 2.0?
The CMMC framework has existed for years (CMMC 1 guidelines were released in 2019). However, it needed updating due to the evolving nature of the threats faced by companies that partner with the DOD – and in November 2021, CMMC 2.0 guidelines were released. Companies are now required to reference the CMMC documentation to ensure compliance. This process can be both challenging and time-consuming. In most cases, an organization will need the guidance of a third-party expert to gauge their existing compliance – and, where necessary, make changes and improvements.
CMMC Levels
There are three levels of practice compliance required to achieve CMMC certification.
- Level 1: Organizations are required to employ basic cybersecurity protocols across 17 practice areas. These are the basic requirements outlined in the Federal Acquisition Regulation Supplement (FAR 52.204-21 – 2016).
- Level 2: Organizations must provide proof that they comply with the controls set out in NIST SP 800-171. These are already set out in DFARS 252.204-7012 (Defense Federal Acquisition Regulation Supplement).
- Level 3: This level requires compliance with the requirements of NIST SP 800-172, which was developed to assist organizations in guarding against hostile actions by non-government actors and is defined as Advanced Persistent Threats (APT). These actors have been identified as focused on the United States Department of Defense supply chain. NIST SP 800-172 provides a framework enabling in-depth protection of sensitive data.
Assessments
- Level 1: Self-assessments through SPRS reinstated for Level 1.
- Level 2:
- Contractor’s handling CUI are required at minimum to self-assess through SPRS using NIST 800-171 on an annual basis. A senior company official(e.g., CEO, CFO, etc.) must make the attestation.
- Non-prioritized contracts can conduct their own internal annual self-assessment through SPRS.
- Prioritized contracts are to conduct their own annual self-assessment through SPRS AND a C3PAO assessment every 3 years.
- DOD has not identified which companies need to self-assess and which will require a third-party Assessor.
- Whistleblower notifications and false claims Act Violations are potentially in play.
POAM and Waivers
- Limited use of Plans of Action and Milestone (POAMs) will be allowed.
- Strictly time-bound: Potentially 180 days. Contracting officers can use standard contractual remedies to address a contractor’s failure to meet their cybersecurity requirements after the defined timeline.
- Limited use: POAMS for high-weighted requirements are not allowed.
- Waivers
- Only allowed in select mission-critical instances.
- Strictly time-bound: Time to be determined on a case by case basis.
- Will require Senior DOD approval.
Interim Program
- Since the timeline to complete the Federal rulemaking process may be anywhere from 9 to 24 months, an interim voluntary program has been authorized.
- Do not expect rule-making to change the underlying requirement to implement NIST SP 800-171.
Unknowns
- Reciprocity with other cybersecurity standards has yet to be identified.
- When to expect the NIST SP 800-171 Rev. 3 and future updates.
- Practice inheritance and involvement of external service providers.
- Cloud-native environments and zero trust architecture.
- How companies will report and recoup CMMC business costs.
- How federal program offices will be instructed to define, classify, and identify CUI.
- Will the government implement any reciprocity with other US and International cybersecurity standards.
Takeaway
- Contractors should get compliant since CMMC is not a new requirement, NIST SP 800-171 was first published in 2015, and DFARS 252.204-7012 has been enforced since December 2017.
- Honestly, conduct self-assessments through the SPRS using NIST SP 800-171A.
- CKSS provides CMMC consulting support for companies of all sizes. If you’re interested in learning more about CMMC compliance or you need a CMMC Gap Analysis, please contact us here.