The Cybersecurity Model Maturity Certification (CMMC) framework protects Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) processed by Department of Defense (DoD) contractors. On November 4, 2021, the DoD announced a massive overhaul of CMMC version 1.02 and the imminent release of CMMC 2.0. The new framework is not yet publicly available, leaving many organizations with questions about how they’ll need to adjust.
Read on for a comprehensive breakdown of the available information and projections.
Streamlining DoD Security with CMMC 2.0
The CMMC framework is overseen by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). Information about the new framework is hosted across various OUSD(A&S) pages and the DoD news brief—however, comprehensive information is fairly sparse.
From what is available, there are two major considerations for DoD contractors:
- How core components of CMMC 2.0 compare to their predecessors in v1.02
- How the implementation requirements and assessment procedures will differ
Below, we’ll address these major areas of consideration, with comparative looks at CMMC v1.02 to inform any mapping or implementation procedures you’ll need to initiate.
CMMC 2.0 Framework Core Components
Most of the materials published so far about CMMC 2.0 focus on how it will streamline the compliance process for all organizations to whom it applies. In this way, it continues a process begun with earlier CMMC versions. All Defense Industrial Base (DIB) sector companies to whom CMMC applies were already accountable for requirements that the Defense Federal Acquisition Regulation Supplement (DFARS) defines and the National Institute of Standards and Technology (NIST) Special Publication 800-171 fleshes out into controls.
The CMMC simplifies these controls (along with others across different frameworks) and collects them into one process of implementation. It also makes compliance more accessible by allowing for a tiered implementation across multiple levels. These core principles remain the same in CMMC 2.0—in fact, they will become simpler, as the number of levels is reduced.
Note: No information is yet available on the exact Practices or controls required at each level.
Before diving into the framework core from CMMC v1.02, which may or may not reflect the CMMC 2.0 changes, let’s take a look at changes that are certain.
CMMC 2.0 Levels vs CMMC v1.02 Levels
The biggest change to CMMC 2.0 is the revamped Maturity Level system. Here is a breakdown of the three levels introduced for CMMC 2.0, as compared to their counterparts in CMMC v1.02, per the OUSD(A&S) overview:
- CMMC 2.0 Level 1: Foundational – Roughly analogous to Level 1 in CMMC v1.02
- CMMC 2.0 Level 2: Advanced – Roughly analogous to Level 3 in CMMC v1.02
- CMMC 2.0 Level 3: Expert – Roughly analogous to Level 5 in CMMC v1.02
Notably, CMMC 2.0 will no longer measure Process Maturity, or Institutionalization, as it had in the prior versions. These metrics illustrated the extent to which Practices were implemented and integrated across all stakeholders within a company, progressing deeper at each Maturity Level.
For context, here is the breakdown of level focuses and Practice and Process Maturity in v1.02:
- CMMC 1.02 Level 1 – Focused on protecting FCI, comprising:
- Practice Maturity: Basic Cyber Hygiene
- Process Maturity: Performed
- CMMC 1.02 Level 2 – Shifting toward CUI for Level 3, comprising:
- Practice Maturity: Intermediate Cyber Hygiene
- Process Maturity: Documented
- CMMC 1.02 Level 3 – Focused on full protection of CUI, comprising:
- Practice Maturity: Good Cyber Hygiene
- Process Maturity: Managed
- CMMC 1.02 Level 4 – Shifting toward Advanced Persistent Threats, comprising:
- Practice Maturity: Proactive
- Process Maturity: Reviewed
- CMMC 1.02 Level 5 – Focused on perfecting FCI, CUI, and APT protection, comprising:
- Practice Maturity: Advanced / Proactive
- Process Maturity: Optimizing
Not much information is publicly available yet about exactly how many Practices will be required at each level. The requirements for Level 2 are said to exactly correspond to NIST SP 800-171 (see below), but it’s not yet clear how many of these will already be required at Level 1. It’s also unclear the exact amount or categorization of requirements to be expected at the new Level 3.
CMMC v1.02 Framework Core: Security Domains
There is no information publicly available yet about any changes to the core of the CMMC—i.e., its Security Domains—for CMMC 2.0.
In the most recent version, CMMC v1.02, the framework comprised 17 total Domains, which housed 171 Practices. There were also 43 Capabilities, which functioned as basic measures for the outcomes Practices are meant to ensure.
The breakdown of Domains, Capabilities, and Practices in CMCM v1.02 was as follows:
- Access Control (AC) – Four Capabilities and 26 Practices.
- Asset Management (AM) – Two Capabilities and two Practices.
- Audit and Accountability (AU) – Four Capabilities and 14 Practices.
- Awareness and Training (AT) – Two Capabilities and five Practices.
- Configuration Management (CM) – Two Capabilities and 11 Practices.
- Identification Authentication (IA) – One Capability and 11 Practices.
- Incident Response (IR) – Five Capabilities and 13 Practices.
- Maintenance (MA) – One Capability and six Practices.
- Media Protection (MP) – Four Capabilities and eight Practices.
- Personnel Security (PS) – Two Capabilities and two Practices.
- Physical Protection (PE) – One Capability and six Practices.
- Recovery (RE) – Two Capabilities and four Practices.
- Risk Management (RM) – Three Capabilities and 12 Practices.
- Security Assessment (CA) – Three Capabilities and eight Practices.
- Situational Awareness (SA) – One Capability and three Practices.
- Systems and Communications Protection (SC) – Two Capabilities and 27 Practices.
- System and Information Integrity (SI) – Four Capabilities and 13 Practices.
It remains to be seen whether CMMC 2.0 retains some or all of these Domains, Capabilities, and Practices. It may instead default to the Requirements and Requirement Families of NIST.
CMMC 2.0 Implementation and Assessment
Another major way in which CMMC 2.0 will simplify implementation and certification is through what appears to be a retraction of the framework core. While the new framework has not been projected yet, the OUSD(A&S) overview page for the CMMC 2.0 model notes that “CMMC unique security practices,” or those not originating from NIST frameworks, will be removed.
OUSD(A&S) projects 17 Practices for CMMC 2.0 Level 1, with no information about sources.
The requirements at CMMC 2.0 Level 2 will “mirror” those in NIST SP 800-171, titled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This is not a major departure from v1.02, as the corresponding Level 3 in that framework also denoted complete implementation of NIST SP 800-171’s 110 Requirements (and 20 other Practices).
A much more significant change occurs at CMMC 2.0 Level 3, comparable to v1.02’s Level 5: CMMC 2.0 Level 3’s requirements are said to be “based on a subset of” the Requirements in NIST SP 800-172, titled Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. There is no indication, yet, of how many of SP 800-172’s 35 Requirements will be used, nor if or how they will be changed.
It should be noted that, if the changes suggested by these sources do happen, changes may need to occur to the Domain structure of the CMMC, as it does not correspond perfectly to the analogous Requirement Family structure used in both NIST SP 800-171 and NIST SP 800-172.
CMMC 2.0 Level 2 Implementation: SP 800-171
Before the initial launch of CMMC, the main compliance framework applicable to DIB entities was NIST SP 800-171. NIST positions the document as non-prescriptive, merely guidance on how to best follow the actual prescriptive requirements in DFARS. Nonetheless, DFARS has required NIST SP 800-171 implementation and will continue to do so moving forward.
NIST SP 800-171 comprises 110 Requirements, distributed across 14 Requirement Families:
- Access Control – Two Basic and 19 Derived Requirements.
- Awareness and Training – Two Basic and one Derived Requirement.
- Audit and Accountability – Two Basic and seven Derived Requirements.
- Configuration Management – Two Basic and seven Derived Requirements.
- Identification and Authentication – Two Basic and nine Derived Requirements.
- Incident Response – Two Basic and one Derived Requirement.
- Maintenance – Two Basic and four Derived Requirements.
- Media Protection – Three Basic and six Derived Requirements.
- Personnel Security – Two Basic (no Derived) Requirements.
- Physical Protection – Two Basic and four Derived Requirements.
- Risk Assessment – One Basic and two Derived Requirements.
- Security Assessment – Four Basic (no Derived) Requirements.
- System and Communications Protection – Two Basic and 14 Derived Requirements
- System and Information Integrity – Three Basic and four Derived Requirements.
CMMC 2.0 Level 3 Implementation: SP 800-172
Of the many documents beyond NIST SP 800-171 that earlier versions of CMMC drew upon, one of the more common sources was NIST SP 800-172. Itself an outgrowth of SP 800-171, SP 800-172 is a newly renamed version of what was previously called SP 800-171B. As this history suggests, it builds on the Families of SP 800-171, adding Enhanced Requirements to most:
- Access Control – Three Enhanced Security Requirements.
- Awareness and Training – Two Enhanced Security Requirements.
- Audit and Accountability – No Enhanced Security Requirements.
- Configuration Management – Three Enhanced Security Requirements.
- Identification and Authentication – Three Enhanced Security Requirements.
- Incident Response – Two Enhanced Security Requirements.
- Maintenance – No Enhanced Security Requirements.
- Media Protection – No Enhanced Security Requirements.
- Personnel Security – Two Enhanced Security Requirements.
- Physical Protection – No Enhanced Security Requirements.
- Risk Assessment – Seven Enhanced Security Requirements.
- Security Assessment – One Enhanced Security Requirement.
- System and Communications Protection – Five Enhanced Security Requirements.
- System and Information Integrity – Seven Enhanced Security Requirements.
CMMC v1.02 Assessment vs CMMC 2.0 Assessment
Finally, the last area in which CMMC 2.0 is likely to differ significantly from its predecessor is in how organizations will assess and verify their implementation. Notably, the requirements appear to be more relaxed, in some scenarios—but it’s unclear how widespread new leniencies will be.
Per the CMMC implementation page hosted by OUSD(A&S), the DoD may award contracts on a contingent basis, without CMMC implementation, pending a Plan of Action and Milestones (POA&Ms) agreement. The most critical security requirements would not be eligible for these, but many more minor ones would. Similarly, the DoD is considering waivers for the entirety of CMMC implementation, for some organizations. Both are radical departures from CMMC v1.02.
OUSD(A&S) projects annual self-assessment for CMMC 2.0 Level 1, triannual third-party assessment for Level 2, and triannual governmental assessment for Level 3. But little information is available about which entities will carry out these assessments, nor how.
Prior to the projected changes, CMMC was set to require robust third-party verification, for nearly all DoD contracts, beginning no later than 2025. These assessments were going to be overseen exclusively by special organizations registered with the CMMC Accreditation Body (CMMC-AB): Certified Third Party Assessor Organizations (C3PAOs). Few C3PAOs were yet certified prior to the announcement of CMMC 2.0—for example, RSI Security was in the final stages of being C3PAO certified. It’s unclear at present how much of a role C3PAOs and the CMMC-AB will play in assessing and verifying CMMC 2.0. Nevertheless, the CMMC-AB press release about CMMC 2.0 indicated the organization’s overall support for all proposed changes.
Regardless of future verification needs, all organizations in and around the DIB can benefit from expert advisory with respect to DFARS, NIST, and CMMC readiness. Future changes may well sway back toward heightened requirements, necessitating swift adjustments and assessments.
Prepare for Future CMMC 2.0 Implementation
RSI Security has helped countless DIB stakeholders secure contracts with the DoD for years, dating back before the initial deployment of CMMC. Our team of expert analysts will help any organization determine the state of its current cybersecurity architecture, the extent to which it’s prepared for current and future DFARS regulations, and an action plan for implementing all patches and other updates required.
To get ready for CMMC 2.0, contact RSI Security today!