Do defense industrial base contractors need to scope their cybersecurity environments to prepare for CMMC 2.0 in 2023?
That’s a loaded question. And we’ll provide definitive answers in this post.
But what exactly is a CMMC Assessment Scope, and when do I have to complete it?
This post will provide the latest CMMC updates, actionable recommendations for our clients in 2023, information on affordable solutions, and additional guidance on where you can go for more information.
But the short answer to the question is yes. If you want to stay ahead of the curve and ensure compliance with the looming CMMC 2.0 final rule, you should start planning to do a CMMC 2.0 assessment scope today. The CMMC 2.0 framework has definitely seen some starts, stops, and significant changes over the last several years.
And we’ve stayed on top of the progress.
As a CMMC compliance solution provider to the small and medium DIB contractor base, our clients expect us to stay on top of the most pressing cybersecurity issues. They rely on our expertise so they can focus on their business. And we intend to live up to that commitment.
Here’s what you’ll learn in this post:
- A brief review of the timeline for CMMC—where we started, where we’ve been, and where we are in 2023 (this is critical!)
- What do DIB contractors need to know about CMMC 2.0 in 2023?
- What are the levels of CMMC 2.0 certification, and who do they apply to?
- What is a CMMC Assessment Scope?
- When do contractors need to prepare for a CMMC assessment scope?
- How can you be diligent in preparing for implementation?
So how did we get here, and where are we going this year with CMMC 2?
A brief review of the CMMC timeline (this is critical!).
At the end of CY 2020, the DIB contracting base was focused on supplier performance risk system, or SPRS, scores centered on NIST SP 800-171 security requirements for DFARS 252.204-7012, 7019, and 7020. CMMC comprised five levels instead of the current three levels of certification.
There was a lot of activity around CMMC 1.0, with some of the large primes and government program directors seemingly trying to get ahead of the official rollout. Things were proceeding, and then…nothing.
From late 2020 well into 2021, DoD did a 9+ month review of CMMC 1.0, without releasing any meaningful information. There was speculation about what was happening with the process, but nothing concrete.
Fast forward to 2021, and nothing much new had happened until November 4, when DoD announced the release of CMMC 2.0. Here’s part of what they had to say in the press release:
Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program
Today, the Department of Defense announced the strategic direction of the Cybersecurity Maturity Model Certification (CMMC) program, marking the completion of an internal program assessment led by senior leaders across the Department.
The enhanced “CMMC 2.0” program maintains the program’s original goal of safeguarding sensitive information, while:
Simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements; Focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and Increasing Department oversight of professional and ethical standards in the assessment ecosystem.
Activity around CMMC 2.0 picked up significantly in early 2022—with industry group chatter, webinars, etc.—and continued throughout 2022.
So here we are in early 2023. It’s important to keep in mind that the one thing that has been consistent from November 2021 and throughout 2022, is that DoD has stated they will officially introduce CMMC 2.0 into the rule-making process and that it will roll out in 2023.
We’re going to discuss this in more detail in the context of CMMC Level 1 and Level 2 assessments.
So what do DIB contractors need to know about CMMC 2.0 in 2023?
Based on our expected timelines from DoD, we think it’s likely that we will start seeing CMMC 2.0 Level 2 requirements in contract language late this spring, possibly by late April or May.
The publication of materials relating to CMMC 2.0 reflects the Department’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.
That stretches the rulemaking process and timelines to November 2023 at the latest. But remember, the lengthy rulemaking process is largely complete and essentially codified in CMMC 2.0. So if the rule was published in April, allowing for a 60-day comment period concurrent with a congressional review, it could effectively take effect immediately.
This assumes that there will be few, or no, changes made as a result of public comments and congressional review. Based on further DoD guidance, we’re also anticipating that numerous primes and government program managers will be ready to implement to stay ahead of the inevitable implementation curve of CMMC 2.
This is the scenario that we believe will unfold in early 2023.
What are the levels of CMMC 2.0 certification, and who do they apply to?
There are three levels of CMMC 2 certification. Level 1, self-assessment and self-scoring, is not expected to change much for DIB contractors handling federal contract information (FCI).
Level 2, Advanced, is based on 110 practices. This advanced level of certification is required for defense industrial base contractors handling CUI. It’s also important to note that NIST SP 800-171a is always the guiding document for all CMMC levels of assessment and certification.
DoD has yet to issue further guidance on Level 3 certification.
This graphic describes the three levels of CMMC 2 certification:
In a nutshell, as a DIB contractor, you’re required to classify all assets that process, store, or transmit CUI to prepare for a CMMC assessment. And that’s what comprises an assessment scope.
What exactly is a CMMC Assessment Scope?
The ultimate goal for a DIB contractor is to achieve CMMC certification by passing an assessment. The CMMC Assessment Scope Level 2, or Level 1, produces the documentation necessary for that assessment.
Identifying the CMMC Assessment Scope:
This document provides information on the categorization of assets that, in turn, inform the specification of assessment scope for a Cybersecurity Maturity Model Certification (CMMC) assessment. The ensuing sections discuss CMMC asset categories as well as the associated requirements for Defense Industrial Base (DIB) contractors and CMMC assessments.
The document goes on to define the five categories of CUI asset classification and provides further information on each asset type, along with a few examples.
Here is an example of two asset classification categories from the document:
The precursor to putting an assessment scope together is a CUI system security plan or SSP.
So, to sum it up, you’ll need to prepare a formal SSP and an assessment scope as the foundational documents to prepare for CMMC 2.0 certification.
When do contractors need to prepare for a CMMC assessment scope?
Our advice to our clients is to get out in front of the curve now with an assessment scope plan. The perception among many contractors is that, once the final rule is published, the customary time duration of a year or more to implement the necessary security practices and technologies, in parallel with the normal lengthy rulemaking process, will commence.
We can’t state strongly enough that we do not believe this will be the case with CMMC 2.
How can you be diligent in preparing for CMMC 2.0 implementation?
We’re advising our clients to get started today. Remember, the rulemaking process is largely complete for CMMC 2.0. This happened when DoD was sequestered in most of 2021 and then subsequently released their vision for CMMC 2.0.
This means the normally lengthy rulemaking process will be superimposed on the implementation timeline. In other words, when the final rule is published, you’re probably not going to have much time to get ready for CMMC 2 certification.
We’re advising our DIB contractor clients to create budgets, CMMC 2.0 implementation plans, and timelines for certification. And we’re providing them with all the assistance they need to generate the essential foundational documents:
- CMMC Policies and Procedures
- CMMC System Security Plan
- CMMC Level 1 Assessment Scope or
- CMMC Level 2 Assessment Scope
Ask your customers, primes, government program officers, etc. for any documentation they have that defines any potential shared risk responsibilities. It’s also crucial to be vigilant for your customers trying to get ahead of the official CMMC 2 implementation curve with early implementation plans.
Where can you go for more information, like how can you get started with a Level 1 or Level 2 CMMC 2 assessment scope?
We’ll help you get ready now. As a DIB contractor handling FCI or CUI, you’re going to need CMMC 2 certification. And that process starts with an assessment scope.
At CKSS, our team of regulatory compliance security specialists has extensive experience helping small to medium-sized organizations implement and maintain robust, cost-effective information security programs at all levels.
But we’re here to listen to you and your team first.
After we fully understand your requirements and budget, we’ll help you get the right plan in place for compliance with CMMC 2.0.
We offer strategic advisory services, security compliance templates, security, and compliance staff augmentation, and managed security and compliance services, including Chief Information Security Officer (CISO) services.
Do you have questions about CMMC 2 and assessment scopes?
We’re here to help.