The Pentagon recently announced a new version of the Cybersecurity Maturity Model Certification (CMMC) requirements. CMMC 1.0 was announced in 2020 and CMMC 2.0 indicates an effort to strengthen the new security standard. One of the biggest changes in CMMC 2.0 is that it reduced the levels of security compliance from five to three. The three levels will be as follows:
- Level 1: also referred to as the “foundational level,” will require contractors to conduct self-assessments annually and 17 cybersecurity practices
- Level 2: also known as the “advanced” level, will require contractors to be compliant with NIST SP 800-171
- Level 3: will be seen as the “expert” level, which is going beyond the cybersecurity practices in NIST SP 800-171.
In the original CMMC Certification, every level would need to be assessed by a third-party. In CMMC 2.0, an organization can be Level 1 with just a self-assessment. In Level 2, a company will have to go under triannual third-party assessments. In Level 3, they will have to conduct triannual government-led assessments. Costs are expected to be significantly lower to comply with CMMC 2.0 over CMMC 1.0.
The rulemaking with the launch of CMMC 2.0 is still ongoing. If you need a refresher on CMMC 1.0 and the basis of creating this security standard, continue reading.
Who Needs a CMMC Certification?
For federal organizations, any cyberattack can result in the loss of controlled unclassified information (CUI) which is a significant risk for national security. Any organization that conducts business with the Department of Defense (DOD) is a valuable target for cyber threats. Tightening security protocols for any contractor that works with the DOD can help prevent cybersecurity attacks that impact the nation.
For several years, there has been a demand for increased cybersecurity requirements among the Department of Defense (DOD). Cybersecurity Maturity Model Certification (CMMC) has emerged as a process to ensure that all defense industrial base (DIB) contractors who handle controlled classified information can meet cybersecurity requirements. CMMC emerged in early 2020 and has undergone some changes overtime to further ensure security. The goal of the framework is to ensure that defense contractors meet a basic level of cybersecurity hygiene to protect sensitive information.
CMMC asks that all DOD contractors to complete third-party cybersecurity assessments. The CMMC Accreditation Body has been assigned by the Pentagon to train and certify C3PAOs, or Certified Third-Party Assessor Organizations. The CMMC Accreditation Body is a nonprofit separate from the DOD. Once trained, the C3PAOs will assess each contractor’s cybersecurity according to the basic requirements.
What is the CMMC Certification?
The goal of CMMC is to ensure that defense contractors do not become victims of cyber-attacks. If defense contractors are hacked, this will result in the loss of sensitive information that is pertinent to government functions. In fact, malicious cyber activity has cost the US economy between $57 billion and $109 billion in 2016 according to the White House Council of Economic Advisors in a 2018 report. With the intention to minimize this cost, the DOD developed CMMC to implement one standard of security across the defense industrial base. An industry standard like CMMC helps defense organizations to not let security assessments fall through the cracks.
Being a maturity model, the CMMC framework serves as a way to get from one level of security to the next. It gives a set of processes and practices to get to each level of security instead of a checklist system.
CMMC Levels
Each level of CMMC is cumulative, meaning that as you advance levels, you add additional practices and processes to the ones already obtained in the lower levels. Each level indicates a higher degree of protection of sensitive data. CMMC 1.0 began with 5 levels
- Level 1: Basic protection of federal contracting information
- Level 2: Requires the documentation of policies to guide CMMC implementation efforts
- Level 3: Includes NIST 800-171 requirements and other standards
- Level 4-5: Protects controlled unclassified information and reduces the risk of advanced persistent threats
With the launch of CMMC 2.0, the standard will move forward with 3 levels: foundational, advanced, and expert instead of the original 5 levels.
How to Obtain the CMMC Certification?
CMMC assessments will be conducted by authorized C3PAOs. Based on the results of these assessments on a contractors unclassified network, certifications will be awarded. Since CMMC is still new, it may be a lengthy process to get the CMMC accreditation as there are not many C3PAOs to conduct the certification. To start the certification process, start with completing the requirements for Level 1 and move your way up thereafter. As with every security assessment or certification, compliance is continuous. Every time an organization adds a new software, or new employee, or as software becomes outdated, security posture will change, and new risks could arise. For this reason, compliance should always be re-evaluated.
CMMC vs NIST
Aspects of CMMC are comparable to the existing security requirement, NIST (National Institute of Standards and Technology). While the NIST security standard is voluntary, by 2026, the Department of Defense plans make CMMC a requirement for DOD contractors. At an “advanced” CMMC level, an organization will effectively have implemented the NIST 800-171 and NIST 800-172 requirements which shows an essential ability to protect controlled unclassified information. However, unlike NIST, CMMC includes assessments that more specifically assigns a company maturity level.
Where to start?
If you are already compliant to an existing security framework, you may be well on your way to maturing through the CMMC certification levels. Aurora provides full lifecycle consulting assessment services to over 15 frameworks and 18 security domains. Aurora Service Operations can also help your organization easily organize, remediate and deliver cybersecurity and compliance programs. We can combine redundant controls when applying multiple frameworks by centralizing data into one single compositor. In addition to providing consulting for the CMMC framework and NIST 800-171, we also can provide the tools to be compliant with ISO 27001, HIPPA, PCI DSS, and more. Contact sales@aurorait.com to learn more.