CMMC 2.0 provides a robust cybersecurity framework mandated for DoD contractors, consolidating controls from key regulatory texts such as NIST SP 800-171 and SP 800-172. As organizations prepare for its implementation, understanding the distinct requirements of Levels 1 to 3 is crucial. While Level 1 targets Federal Contract Information (FCI), Levels 2 and 3 focus on protecting Controlled Unclassified Information (CUI) and advanced threats. Certification, facilitated by Certified Third Party Assessment Organizations (C3PAOs), will be essential for maintaining compliance and bidding on future DoD contracts.
What is CMMC 2.0?
Cybersecurity Maturity Model Certification (CMMC) is a rigorous cybersecurity framework that will be mandated for Department of Defense (DoD) contractors in the near future, and is overseen by the DoD Chief Information Officer (CIO). CMMC consolidates controls from various regulatory texts, aligning with protections outlined in the Defense Federal Acquisition Regulation Supplement (DFARS).
Primary source texts influencing CMMC include: FIPS PUB 199, NIST SP 800-53, NIST SP 800-171, and NIST SP 800-172. In the early stages of the planned rollout, an announcement from the DoD in November 2021 caused the CMMC to create significant revisions to the framework and implementation of the program. This introduced CMMC 2.0 and streamlined both the implementation and assessment processes, modifying the Maturity Level scheme applicable to all qualifying organizations within the Defense Industrial Base (DIB), regardless of their prior adherence to earlier CMMC guidelines.
Levels and Security Requirements for CMMC 2.0
Earlier iterations of CMMC defined certification levels and their corresponding requirements clearly. These levels were based on the type of information organizations handle and the associated risk environment. For instance, CMMC Level 1 focused on handling Federal Contract Information (FCI), Level 3 centered on protecting Controlled Unclassified Information (CUI), and Level 5 targeted Advanced Persistent Threats (APTs) affecting both CUI and FCI.
Each CMMC v1.02 level has also established clear thresholds for practices, emphasizing increasingly robust cybersecurity measures. This is demonstrated as organizations progress from “Cyber Hygiene” at levels one to three to then “proactivity” and “advanced” at levels four to five. CMMC v1.02 detailed a total of 171 practices spread across 17 security domains and linked to 43 security capabilities.
As for CMMC 2.0 Requirements, levels one through three in CMMC 2.0 mirror levels one, three, and five in v1.02:
- CMMC 2.0 Level 1 – 15 practices
- CMMC 2.0 Level 2 – 110 Practices, encompassing NIST SP 800-171
- CMMC 2.0 Level 3 – 110+ Practices (tentative), based on NIST SP 800-172
Level 1 Requirements
CMMC 2.0 Level 1 requirements involve implementing 15 cybersecurity controls derived from NIST SP 800-171, focusing on protecting Federal Contract Information (FCI). Designed for smaller contracts and organizations with minimal responsibilities and risks, Level 1 allows for self-assessments. These are required annually to maintain compliance with DoD standards.
Level 2 Requirements
CMMC 2.0 Level 2 requires full implementation of the NIST SP 800-171 framework and applies to organizations handling substantial volumes of CUI with significant responsibilities and risks. It encompasses 110 cybersecurity controls across 14 categories, including Access Control, Incident Response, and System and Communications Protection. Level 2 assessments occur every three years, with annual reaffirmations, and typically require engagement with a C3PAO for verification. These assessments ensure compliance with stringent DoD standards for protecting sensitive information.
Level 3 Requirements
CMMC 2.0 Level 3 is designed for organizations that handle extensive and diverse types of CUI and operate in environments vulnerable to APTs. It expands on Level 2 requirements by incorporating controls from NIST SP 800-172, though the exact number has not yet been finalized. NIST SP 800-172 introduces 35 Enhanced Requirements organized within the familiar 14-category structure used in SP 800-171 and CMMC. This suggests that Level 3 could encompass up to 145 controls, barring any additional framework expansions. Certification at Level 3 mandates triennial assessments conducted by government agencies, reflecting the heightened security standards needed to safeguard sensitive information within the DIB.
Who Needs Certification?
organizations that are part of the DIB and seeking to bid on or fulfill DoD contracts need CMMC 2.0 certification. This includes contractors, subcontractors, and suppliers who handle CUI or Federal Contract Information (FCI) in their operations. The certification levels required depend on the specific types of information handled and the contractual requirements set by the DoD. Typically, contracts involving FCI mandate Level 1 certification. Whereas, contracts involving CUI necessitate Level 2 or Level 3 certification, based on the volume, diversity, and sensitivity of the data involved.
When Will CMMC 2.0 Certification be Required for DoD Contracts?
Publications regarding CMMC 2.0 outline the Department’s strategic direction for the CMMC program. However, CMMC 2.0 will not be mandatory for contracts until the Department finalizes the rulemaking process, which could span up to 24 months. Contractual adoption of CMMC 2.0 will occur upon completion of this rulemaking phase.
Upon implementation of CMMC 2.0, organizations will need to conduct annual self-assessments where permitted by their assigned CMMC level. For organizations requiring CMMC certification at Level 2, assessments by a C3PAO will be mandatory every three years. Yet those at Level 3 will undergo government assessments every three years.
How Do You Obtain CMMC 2.0 Certification?
Third-party CMMC assessments are carried out by C3PAOs or Certified CMMC Assessors. C3PAOs are verified and listed by the Cyber AB, formerly known as the CMMC Accreditation Body (CMMC-AB).
With the help of RSI as your C3PAO, obtaining CMMC 2.0 certification will involve the following steps:
- Preparation and Implementation: Assessing your organization’s current cybersecurity practices against the requirements of CMMC 2.0 will help to identify any gaps and areas needing improvement. RSI Security assists DoD contractors in comprehending the full scope of controls necessary. We provide guidance and support in implementing these controls, whether through system development or acquisition, to meet or surpass the DoD’s CMMC 2.0 standards. Additionally, we conduct readiness assessments to ensure smooth preparation for the official assessments.
- Certification Assessment: RSI Security provides comprehensive and thorough CMMC 2.0 assessment services. Organizations aiming for Level 2 compliance require a C3PAO like us to conduct and document third-party assessments of their control implementations. Upon successful completion of the assessment, RSI Security uploads the necessary documents for review by governmental agencies. Upon approval, your organization receives CMMC 2.0 certification at the appropriate level.
- Compliance Maintenance: Maintain compliance with CMMC 2.0 requirements through regular assessments and updates to your cybersecurity practices as necessary. Achieving a successful Level 2 audit ensures compliance for three years, with annual recertification thereafter. Following this, triennial assessments are necessary to maintain compliance with current DoD contract requirements and to compete for future contracts. RSI Security provides ongoing support for maintaining CMMC 2.0 compliance.
Achieve and Maintain CMMC 2.0 Compliance
In the future, securing DoD contracts will depend on demonstrating CMMC compliance. Organizations handling CUI alongside FCI will probably need to achieve at least Level 2 compliance, which requires collaboration with a C3PAO—like us.
RSI Security is a certified C3PAO and has been assisting organizations in DoD compliance long before the CMMC model was established. The CMMC-AB recognizes RSI Security as a Registered Provider Organization (RPO) with several Registered Practitioners (RP) on our team. We are also a C3PAO and organizations seeking CMMC Level 2 will need to work with a C3PAO in order to achieve certification.
To learn how we can help your organization achieve CMMC, contact RSI Security today!
Learn how RSI Security can help your organization. Request a Free Consultation