As cyber attacks become more calculated, complex, and high-stakes, many government agencies in the United States and around the world are closely examining who they do business with. Contracting with the wrong business could lead to major consequences, and in the U.S. Defense Industrial Base, a cyber attack could cost lives.
The U.S. Department of Defense released CMMC, a rigorous set of cyber standards for entities contracting with the DoD, in January of 2020. Then, in November 2021, they doubled back and released a more streamlined version of the certification. The change and unclear implementation timeline sparked confusion in many federal and defense spaces. Here, we’ve outlined some common questions, and a short action item list as you set off on your journey to meet CMMC 2.0 compliance.
Outline
What is CMMC?
CMMC is a set of cyber security standards set forth by the United States Department of Defense to prevent increasingly often and nefarious cyber attacks on businesses within the defense industrial base (DIB). Introduced in 2020, CMMC encapsulated five categories of compliance, each more rigorous than the next, with which companies would have to identify and comply.
The goal is for the DOD to set a benchmark for cybersecurity practices, to be sure they can trust their contractors’ security infrastructure wouldn’t be vulnerable to attacks. The DOD also wants to remain in lockstep with the cyber security standards laid out in DFARS, and The National Institute of Standards in Technology’s Cybersecurity Framework, particularly sections NIST 800-171 and NIST 800-172. While the NIST framework is voluntary, CMMC 2.0 is not voluntary for many businesses in the DIB. CMMC even lays out specific requirements from NIST that should be met in order to be CMMC 2.0 compliant.
Who Needs CMMC Certification?
Organizations contracting with the United States Department of Defense (DoD) and/or handling Federal Contact Information (FCI) and Controlled Unclassified Information (CUI) will be required to meet CMMC standards.
What Changed About CMMC 2.0?
CMMC 2.0 is an amended version of the original CMMC standards originally issued in 2020, taking into account critiques and pleas from organizations about cost, effort, and complexity. Here’s a quick rundown:
- Reduced the Compliance Level Model from 5 to 3
According to the Office of Under Secretary of Defense (OUSD), stages 2 and 4 within the CMMC 1.0 framework were originally intended to be transitional periods, and not measurement levels. To simplify and streamline the process, they changed the levels 1, 2, 3, 4, and 5, down to just 1, 2 and 3. There are no more transitional periods, only benchmarks.
Level 1 is for all organizations contracting with the DOD, and those who handle FCI. Level 2 is for organizations handling CUI, but perhaps not as frequently, or contractors who are building up to level 3 compliance. Level 2 companies must meet 72 outlined security practices. Level 3 is for organizations handling CUI frequently, and should meet 130 security requirements. Level 3 organizations will be assessed by government officials before securing contracts. While there is not a sweeping list of organizations mandated to meet level 3 requirements, the future may hold tighter regulations, and could potentially broaden the scope of level 3.
- Permits Self-Assessments at Levels 1 and 2
Self assessment allows smaller or medium-sized businesses in the DIB to reduce cost by self-assessing, or paying for an affordable third party, to affirm compliance with CMMC 2.0 requirements. Businesses will still be beholden to the standards of CMMC in their third-party or self assessments.
- Increases Standards for Third-Party assessors
The DOD and OUSD will keep a watchful eye over third-party assessors to ensure they are properly and ethically maintaining compliance within their assessments.
- Allows Plans of Actions & Milestones (POA&M)
The department will allow select entities to share plans of action to eventually reach CMMC 2.0 compliance, to cut down on cost and effort in meeting compliance in a short amount of time.
- Allows Waivers
This requirement allows an exception to the CMMC 2.0 rules for some contractors needed for urgent or mission-critical projects, and would require the approval of senior leadership.
- Reduced the Outlined Domains from 17 to 14
The newest domains, which are segmented into controls, now do not include Asset Management, Recovery, and Audit and Accountability. However certain practices may be folded into other domains.
What is the Deadline for CMMC 2.0 Compliance for DIB Entities?
The timeline for the rollout of CMMC 2.0 has been foggy, to say the least. Without giving a definitive timeline, the OUSD states that the requirements must be solidified in the rulemaking process. The Department estimates this process will take from 9 to 24 months - and many experts have predicted that CMMC 2.0 will begin showing up in contracts in 2025.
DIB contractors will need to be strategic and realistic about timing. The OUSD outlines the path to compliance as such:
First, companies must implement security practices that meet the requirements of the CMMC level they identify with. Then, the DOD will perform an assessment of an entity’s security infrastructure to verify compliance. Finally, compliance will be solidified with paper and pen as the DOD will transition to only contracting with entities that meet CMMC 2.0 compliance.
What Does This Mean For Your Company, Agency, or Organization?
Likely, less financial stress. One of the primary reasons for paring down the CMMC 2.0 rules was to ease the burdens of cost and time on the DIB, particularly small businesses. With less detailed requirements to fulfill and the allowance of self or third-party assessments, companies can seek out resources within their budget to meet these requirements.
According to the Office of the Under Secretary of Defense (OUSD), the DoD plans to release a comprehensive cost analysis for each level of compliance with CMMC 2.0.
What Are Your Action Items?
- Determine your CMMC level
Level one is a nice starting point, but the key to determining the appropriate level for your organization is to examine how often your organization handles CUI, what for, and for what purpose. For frequent handlers of CUI, you’ll likely want to shoot for at least level 2.
Your organization should investigate vulnerabilities by performing a self-assessment prior to beginning your CMMC compliance journey. You’ll need to take a deep dive into how your organization stores and shares CUI, and examine the adequacy of your current protections.
- Implement FIPS 140-2 Encryption to Protect Data in Motion and At Rest
256-bit encryption is lauded as a standard method of protecting data where it’s stored and when it’s in motion, and can be considered military-grade. CMMC level 3 requires that encryption be used for data at rest and in motion, data like: CUI, FCI, passwords, and more. But encryption is a method of data protection that’s become increasingly easy to implement, which will solidify compliance in all other CMMC levels without a particularly heavy lift. In particular, encryption services must be certified by FIPS 140-2.
For more information on how you should comply with CMMC 2.0, the OUSD has many resources and explainers at your disposal, including model overviews and consistent updates on the CMMC 2.0 timeline.
Virtru Can Help You Meet CMMC 2.0 Compliance
Virtru’s foundational data protection standard, the Trusted Data Format (TDF), was founded in the midst of the DIB, in the National Security Agency (NSA). By securing data transmitted through email, file sharing, gateways, and SaaS applications, Virtru empowers DIB organizations to apply end-to-end protections and Zero Trust controls to the nation’s most sensitive data no matter where it lives or travels.
By wrapping data with encryption at the object level, Virtru allows you to have complete, autonomous control over every piece of sensitive data. Granular access controls can be audited and monitored in the Virtru control center, where data owners have complete oversight of who has accessed any given piece of data, with the ability to revoke and grant access at any time. You can also have complete control over the encryption keys protecting your data with the Virtru Private Keystore, further supporting CMMC compliance.
To help organizations better understand CMMC 2.0, Virtru assembled experts in the Defense Industrial Base and cybersecurity industry to discuss what you can expect from these new requirements, and how they can prepare. You can watch the CMMC webinar recording here.
To learn more about how Virtru can help your organization meet CMMC 2.0 encryption requirements, contact our team today.
