Organizations seeking work with the US government and the military need to prove their commitment to data security before securing a contract. CMMC 2.0, required for military contractors, has undergone a long transformation to get to where it is today. Understanding that history helps contractors rethink and streamline their compliance efforts.
Is your organization ready to comply with CMMC 2.0? Schedule a consultation to find out.
How CMMC 2.0 Became What It Is
A long road led up to the current iteration of the Cybersecurity Maturity Model Certification (CMMC) framework. CMMC v2, released in late 2021, overhauled what was already a new and not yet fully rolled out CMMC 1.02. To help military contractors fully understand the framework amidst this compliance, and how CMMC compliance became what it is today, this guide covers:
- The regulatory context surrounding DoD and CMMC compliance
- The early rulemaking and development of the CMMC framework
- The major changes introduced in CMMC v2 and their impact
- The timeline and expected rollout for CMMC 2.0 compliance
Working with a CMMC implementation partner to strategize, implement, and assess for certification is the best way to streamline compliance and secure military contracts.
Regulatory Context: DFARS and NIST
Developers did not create CMMC 2.0 or its earlier versions overnight. The CMMC paradigm is a culmination and consolidation of several other regulatory concerns. Long before it was first published, entities in the Defense Industrial Base (DIB) needed to prove their security bona fides to lock down Department of Defense (DoD) contracts and preferred contractor status.
In terms of oversight, the governmental body currently in charge of the CMMC program is the DoD Chief Information Officer (CIO). However, the Office of the Under Secretary of Defense for Intelligence and Security (OUSD (I&S)) previously oversaw the framework.
Documentation-wise, the regulation governing all of CMMC compliance is the Defense Federal Acquisition Regulation Supplement (DFARS). DFARS required that DoD contractors comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. NIST SP 800-171 details controls for protecting controlled unclassified information (CUI) specifically in non-federal systems and organizations. DoD contractors must also protect federal contract information (FCI), which falls outside the bounds of SP 800-171.
Early Rulemaking and Editions
The CMMC was initially proposed as a way to streamline these and other requirements for DoD contractors, adapting controls from NIST SP 800-171 and elsewhere into a unified framework.
To that effect, CMMC v1.02 comprised 171 total Practices, which included adaptations of all 110 Requirements in NIST SP 800-171, in addition to controls adapted from NIST’s Cybersecurity Framework (CSF) and other sources. The framework broke down all controls across 14 domains, mirroring NIST’s Requirement Families, but considered them unique and independent from NIST.
CMMC 2.0 eliminated these “CMMC-unique” features—see below.
One element that has transcended from v1.02, albeit in a different form, is the Maturity Model. Rather than requiring organizations to implement all controls at once, CMMC has always welcomed a stepwise implementation and gradual progress toward greater cybersecurity.
In v1.02, there were five Levels corresponding to specific sets of controls and data contexts:
- Level 1 – Basic maturity, consisting of 17 Practices adapted from NIST and no security Processes, for organizations that process the lowest amount of FCI only and no CUI.
- Level 2 – Intermediate maturity, a transitional level consisting of 72 total Practices and two Processes. This targets organizations that process more FCI but not CUI.
- Level 3 – Good cyber hygiene, comprising 130 Practices and three total Processes, and intended for organizations that process the least CUI in addition to or irrespective of FCI.
- Level 4 – Proactive cybersecurity, a transitional Level comprising 156 Practices and four total Processes, intended for organizations with moderate amounts of CUI or risks to it.
- Level 5 – Advanced cybersecurity, comprising 171 Practices and five Processes, intended to protect CUI in critical systems or subject to Advanced Persistent Threats.
The CMMC 2.0 levels are simpler (see below), but the general progression has been retained.
Organizations preparing for compliance with v1.02 before the release of v2.0 can look forward to a simpler structure, which may benefit those already NIST-compliant.
Major Changes in CMMC Version 2.0
The major thrust of the rulemaking leading to v2.0’s release was simplification. The DoD and certain public and private partners involved in the implementation were under immense scrutiny about inconsistencies actress assessment and other elements of the program. As a result, the rule-makers came together and pared down the complexity, streamlining compliance processes.
To begin with, the Levels of maturity and controls organizations need to implement changed.
Instead of five Levels, CMMC 2.0 has three. The framework folded Level 2 and Level 4 from the original, which were transitional, into Levels 2 and 3, respectively. Rather than 171 unique Practices, it now requires implementing 110+ NIST Requirements directly. CMMC 2.0 limits itself to NIST SP 800-171 and SP 800-172, building directly on the framework established in 800-171 instead of pulling from many sources. There’s less guesswork in migrating or mapping controls from one source text to the language needed for another.
Additionally, the assessment requirements have changed rather dramatically.
In v1.02, assessments were required at Level 1, Level 2, and Level 3. All of them needed to be conducted by Certified Third Party Assessment Organizations (C3PAOs), recognized by what was previously called the CMMC Accreditation Body (CMMC-AB). The Cyber-AB, formerly known as the CMMC-AB, continues to certify C3PAOs. Now, entities at Level 1 and some at Level 2 can self-assess, while Level 3 requires government-led audits.
The full breakdown of requirements, by level, is as follows:
- Level 1 – Organizations implement 15 fundamental Requirements from NIST SP 800-171. Annual self-assessment and annual affirmation are required for certification.
- Level 2 – Organizations implement 110 Requirements, encompassing all of NIST SP 800-171. Triennial C3PAO assessment and annual affirmation is required in most cases.
- Level 3 – Organizations implement all of the above. Plus, controls from NIST SP 800-172 (total scope not yet finalized), then conduct government-led triennial assessments.
CMMC v2.0’s simplicity is a boon to organizations starting their CMMC journey and those that had already begun. Working with an advisor will ensure a smooth certification process for both.
Timeline for Implementation
Upon release in November 2021, rulemaking was expected to take up to 24 months. The timeline has since shifted over time as rule-making processes have taken longer than initially anticipated. Starting January 1, 2025, DoD contracts will require Levels 1 and 2. Information about Level 3 remains scarce, as the final scope for implementation and assessment is still not finalized. But all organizations in the DIB, regardless of current or prospective Level, should be preparing for CMMC sooner rather than later.
Streamline your DoD Compliance
To recap, CMMC 2.0 is the product of a long and complicated regulatory history. Since its inception, the goal has been to streamline requirements for DoD contractors. Version 2.0’s changes have realized this vision better than any prior edition with a simplified format, fewer levels, and greater flexibility in terms of assessment. Understanding the history and how prior controls fit into the new framework will help you start—and finish—your CMMC journey.
RSI Security has helped countless organizations prepare for CMMC and other compliance processes. As a Cyber-AB listed C3PAO, we help organizations rethink their cyberdefenses. We’ll help you instill discipline now to unlock greater freedom down the road.
To learn more about our CMMC 2.0 compliance services, contact RSI Security today!