What is CMMC 2.0 and How You Can Prepare for It
Cyber Security Maturity Model Certification 2.0 is the current iteration of a new framework established by the Department of Defense (DOD) to ensure that effective levels of cybersecurity maturity are in place within the Defense Industrial Base.
CMMC is an evolution of the existing framewor
ks, but it has been modified to be cost effective and scalable for businesses of varied sizes, with a focus on progressively improving over time as your organization deals with more sensitive information.
Who is impacted by CMMC
Over the next five years, as CMMC is adopted by the DOD, any business that deals with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will be required to meet some level of CMMC compliance. The scope of CMMC is intentionally broad, as the objective is to defend the complete DOD supply chain, not just those dealing in confidential information.
The CMMC 2.0 Model: Levels and Domains
CMMC model has 3 levels:
- Level 1: Foundational Practices
- Level 2: Advanced Practices
- Level 3: Expert Practices (In Development)
Level 1 focuses on the protection of FCI and is based on 48 CFR 52.204-21. It requires an annual self-assessment, and includes 17 Practices including things like:
- MP.L1-3.8.3 Media Disposal - Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
- SI.L1-3.14.5 System & File Scanning - Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Level 2 has 110 different practices and is based on NIST 800-171. In addition to an annual self-assessment, a triennial third-party assessment must be completed. The 110 practices include items like:
- AU.L2-3.3.2 User Accountability: Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
- AC.L2-3.1.5 Least Privilege: Employ the principle of least privilege, including for specific security functions and privileged accounts.
Level 3 has not been fully defined at this time but will be based on NIST SP 800-172. It will also most likely require a triennial assessment conducted by the government directly.
How to Get Certified
- Review the requirements for the contract you are trying to fulfil and determine the CMMC requirement for it. Note: Currently you need to be compliant at the time of the award of the contract, not at the time you respond to the RFP.
- Either do a self-assessment or hire a third party to help you understand which gaps exist between where you are now and where you need to be.
- Once you feel like you are ready to go through the certification process formally, you will have to find a certified third-party organization (For levels 2 and 3 only).
Who Can Help You Get Certified
CMMC Marketplace was created by the CMMC Accreditation Body to provide an authoritative source on who is qualified to provide you different CMMC related services. It can help you identify who is currently certified and authorized to do the CMMC work.
Registered Practitioners (CMMC-RP) and Register Provider Organizations (CMMC-RPO) can help you with understanding the process of becoming CMMC compliant, the requirements, and finding available resources to complete audits and remediation work.
CMMC Certified Professionals (CCP), CMMC Certified Assessors (CCA) and CMMC Third-Party Assessor Organization (C3PAO) are qualified to conduct the assessments. They must be certified to the level they are assessing.
How to Get Ready for CMMC
CMMC is still evolving, so for many, going through the audit process beyond the self-assessment does not make sense just yet, but that does not mean you cannot get started on your own.
- You can have a provisional assessor do an assessment, followed by the secondary (gap) assessment once the CMMC requirements are finalized.
- You can start with a NIST 800-171 self-assessment. Since about 80% of CMMC comes from NIST, it is a great readiness assessment.
- The CMMC also has posted the Level 1 assessment guidelines, as well as general mappings and requirements for the first two levels HERE