To get started on your journey to CMMC 2.0 compliance and DoD contracts, you’ll need:
- An overview of the sources and context surrounding CMMC 2.0
- A snapshot of the relatively limited requirements at CMMC Level 1
- A deep dive into the broad, intricate requirements at CMMC Level 2
- An analysis of the present state of DoD compliance at CMMC Level 3
Overview of the Regulatory Context
The Cybersecurity Maturity Model Certification (CMMC) is a regulatory framework overseen by the Chief Information Officer (CIO) of the Department of Defense. It applies to all contractors, vendors, and other stakeholders who make up the Defense Industrial Base (DIB) sector, ensuring that sensitive data classes they come into contact with are protected at all times.
CMMC ensures organizations are equipped to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from risks. It’s based on earlier National Institute for Standards and Technology (NIST) Special Publications (SPs), 800-171 and 800-172, which were designed to protect CUI and prevent Advanced Persistent Threats (APTs), respectively.
The CMMC itself is currently in its second version, launched November 2021, and the broader program around it is in the middle of an extended rollout phase. CMMC 2.0 DoD compliance will be a standard, default requirement on all military contracts in the future, as many such contracts already require a commitment to the kinds of data protected by NIST SP 800-171 and 800-172.
CMMC 2.0 Level 1 Requirements
The CMMC framework categorizes candidates into Levels based on the extent of CUI/FCI responsibilities in a given contract and the broader risk environment surrounding the data. Level 1 represents the lowest amount of responsibility and risk, generally for smaller contracts and organizations, so the CMMC 2.0 compliance requirements at Level 1 are relatively lax.
With respect to implementation, there are a total of 15 cybersecurity controls selected from NIST SP 800-171 that organizations must install and maintain. These controls correspond roughly to what was considered “basic” security in prior versions of the CMMC framework. They are concerned primarily with FCI and pave the way toward greater CUI and APT security.
The specific breakdown of Practices can be found in the Level 1 Assessment Guide.
In terms of official assessment, organizations at Level 1 are eligible to self-assess and submit their results to the DoD for review. Pending confirmation, certification will be granted, but annual self-assessments are required to maintain CMMC and DoD compliance long-term.
CMMC 2.0 Level 2 Requirements
CMMC Level 2 is a proxy for full implementation of the NIST SP 800-171 framework. It applies to organizations that process significant volumes of CUI, bear significant responsibilities with respect to that data, and/or process CUI in an environment that poses significant risks to it.
In terms of the actual controls, CMMC Level 2 includes 110, spread across 14 categories:
- Access Control (AC): 22 Practices
- Awareness and Training (AT): 3 Practices
- Audit and Accountability (AU): 9 Practices
- Configuration Management (CM): 9 Practices
- Identification and Authentication (IA): 11 Practices
- Incident Response (IR): 3 Practices
- Maintenance (MA): 6 Practices
- Media Protection (MP): 9 Practices
- Personnel Security (PS): 2 Practices
- Physical Protection (PE): 6 Practices
- Risk Assessment (RA): 3 Practices
- Security Assessment (CA): 4 Practices
- System and Communications Protection (SC): 16 Practices
- System and Information Integrity (SI): 7 Practices
The full breakdown of Practices can be found in the Level 2 Assessment Guide.
Assessment is also significantly more involved at Level 2. They are triennial rather than annual, with annual re-affirmation. And, although some organizations are eligible to self-assess, most will need to work with a Certified Third Party Assessment Organization (C3PAO). C3PAOs are vetted and listed by the Cyber AB; at present, they are the only assessment partners that organizations at Level 2 who need third-party assessments can work with.
CMMC 2.0 Level 3 Requirements
Level 3 CMMC compliance is for organizations that process the highest amount and variety of CUI and/or with IT environments subject to APTs. It builds on the protections established at Level 2; it requires implementing an as-yet unknown number of controls from NIST SP 800-172.
With respect to certification, Level 3 requires triennial government-led assessments. The processes and specific agencies, much like the exact control burden, are not yet finalized.
While the DoD has not confirmed the full scope of Level 3 requirements yet, we can speculate on what it is likely to include. NIST SP 800-172 comprises 35 unique Enhanced Requirements that fit into the same 14-category schema from SP 800-171 and CMMC. So, the maximum scope at Level 3 is likely 145 controls, assuming no additional source texts are added.
Achieve and Maintain CMMC 2.0 Compliance
Ultimately, securing DoD contracts into the future is going to require displaying some level of CMMC compliance. If your organization processes CUI in addition to FCI, it will likely need to reach at least Level 2 compliance. That will likely require working with a C3PAO—like us.
RSI Security is a C3PAO and has helped organizations prepare for DoD compliance since before the CMMC model was developed. We’re committed to service and helping teams instill discipline in the short term because we know it unlocks freedom and flexibility down the line.
To learn how we simplify the CMMC 2.0 requirements, contact RSI Security today!