Everything you need to know about CMMC 1.0 and the evolution to CMMC 2.0.
What does CMMC stand for?
The acronym stands for Cybersecurity Maturity Model Certification.
What is CMMC?
CMMC is a standard regulation for the implementation of cybersecurity for Defense Industrial Base (DIB) companies. Mandated by the Department of Defense (DOD), the CMMC framework consists of comprehensive assessments and scalable certifications to verify the implementation of processes and policies associated with the achievement of a cybersecurity maturity level.
DIB companies ensure their level of maturity depending on which level of CMMC certifications are achieved.
What is CMMC 2.0?
CMMC 2.0 is the next iteration of the Department of Defense's CMMC cybersecurity model set to be released in May 2023. It streamlines requirements to three levels of cybersecurity instead of five levels – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.
Why was CMMC created? What is the purpose of obtaining CMMC certification?
The CMMC framework is designed to provide increased levels of assurance to the DoD that DIB companies are adequately equipped to protect controlled unclassified information (CUI).
This certification verifies that contractors or C3PAOs have adequate cybersecurity controls and compliance policies in place to meet the DoD’s security standards.
The Department of Defense (DoD) released the latest version of their cybersecurity certification assessment (CMMC 2.0), a new framework designed to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) and its suppliers. CMMC is an evolution of DFARS 252.204-7012 (NIST SP 800-171) and still requires third-party attestation.
Related Resource: Scaling Remediation in the Face of Competing Priorities
Why is CMMC important?
In short, the CMMC provides clients with reassurance about a contractor’s security protocols.
Serving as a verification mechanism, CMMC is designed to ensure appropriate levels of cybersecurity controls and processes are adequate in protecting all data and information. Achieving a high-level CMMC accreditation is a sign that the Defense Industrial Base (DIB) company meets the DoD’s core objectives when it comes to cybersecurity.
Related Resource: Threat-Based Security at the Intersection of MITRE ATT&CK and NIST CSF
Who needs CMMC Certification? Who does CMMC apply to?
As they continue an exclusive partnership with DOD in this effort, it is encouraged by the Department’s commitment to the Interim Program in which CMMC Certifications will be authorized, incentivized, and honored for those DIB companies who elect to pursue certification before the formal CMMC mandate is codified.
Even small businesses that provide a service or product and work indirectly with the DoD will need CMMC.
Who issues CMMC certification?
A non-government body called the CMMC accreditation, or accreditation board (AB), is an organization made up of industry professionals, government officials, etc. that understand what the DOD needs and how private industries can relate back to it.
With a few different certifications that are available to the private industry surrounding CMMC, the CMMC-AB members will authorize and accredit C3PAOs and the CMMC Assessors and Instructors Certification Organization (CAICO) in accordance with DoD requirements.
Types + Levels of 3rd Party CMMC Certifications
What are C3PAOs?
CMMC Third Party Assessment Organizations (C3PAOs) are certified CMMC assessors responsible for conducting CMMC assessments on behalf of the DoD. Once the assessment is completed, the C3PAO can appropriately issue CMMC certificates.
C3PAOs are authorized to:
Schedule, perform, and manage assessments
Provide advisory services
Hire and train individual assessors
Review results with the CMMC Accreditation Board (CMMC-AB) Quality Auditors
What are RPOs?
The role of Registered Provider Organizations (RPOs) is largely consultative. RPOs are well-versed in CMMC and help Organizations Seeking Certification (OSC) within the Defense Industrial Base (DIB) navigate the CMMC process.
As part of the RPO certification process, each organizational applicant must have at least one Registered Practitioner (RP) – someone trained and authorized by the CMMC-AB to deliver “non-certified advisory services informed by basic training on the CMMC standard” — must be “associated” (as an employee or contractor) with the RPO at all times.
At this point, RPOs looking to achieve C3PAO status may offer assistance around setting up the initial self-assessment and management of the action items that come out of the self-assessment in preparation for CMMC.
What role does a CMMC Audit play within the certification process?
CMMC Certifications are achieved through passing an external audit. Otherwise known as a CMMC Audit, it is an assessment of your organization’s cybersecurity by an accredited CMMC third-party assessment organization (C3PAO).
Related Resource: 7 Metrics to Measure the Effectiveness of Your Security Operations
When will CMMC 2.0 be required? When will CMMC audits begin?
The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.
Title 48 CFR deals with Federal-level regulations for Acquisitions. This is where instructions to acquisition and procurement officers about how to manage contracts are kept.
CMMC 2.0 is expected to be required by mid-2023.
What is the cost of CMMC 2.0 Compliance? Is CMMC pay-to-play?
Since the CMMC certification is a new requirement, concrete costs are yet to be determined. What we do know is that there will be a varying range of costs depending on the level of CMMC achieved, along with preparation and audit costs.
In order to determine the variables that do impact the cost, start by asking the following questions:
Which level of CMMC are you looking to pursue? (Note that the higher the level, the greater the cost.)
What level of maturity does your current IT and cybersecurity infrastructure have? What changes need to be made in order to reach your desired level of CMMC compliance?
How big is your organization? How complex are the systems, processes, etc.?
What volume of CUI can you and your team handle? What scope of CUI does your team handle? How much CUI do you exchange with other DIB companies or government agencies? How many databases store CUI?
If your team does not have the bandwidth to take the necessary steps, how much will you have to rely on outside help (consulting our outsourced cybersecurity services) in order to prepare for the CMMC assessment?
What are the expenses associated with protecting the infrastructure that protects day-to-day tasks like email, file sharing systems, or cloud storage?
How much does it cost to engage a Certified Assessor? How much supply or demand exists in the market for Certified Assessors?
To give a well-informed estimate, not including preparation and audit expenses, it could cost an organization pursuing a CMMC Level 1 certification from $3000 to $5000. As the levels go up, the cost increases.
Achieving CMMC requirements for small businesses + SMBs:
While market forces will ultimately dictate the audit costs, the DoD has considered the financial burden that CMMC poses to SMBs.
At the end of the day, the cost depends on your cybersecurity maturity and can be anywhere from $20,000-$100,000. Companies with less mature environments – think non-compliance with comparable regulations like NIST 800-171 – will need to contend with consulting fees, increased CAPEX (on things like multifactor authentication, mobile device management, log monitoring), and increased OPEX (on things like security awareness training, additional personnel, etc.
Are there penalties for noncompliance with CMMC?
Because the CMMC certification is a prerequisite for working with the DoD and is awarded by levels, the DoD anticipates that it will not impose penalties for CMMC noncompliance. However, failure to qualify for a required certification level will prevent a contractor from working with the DoD.
The Old CMMC 1.0 Model
CMMC Domains: The CMMC maps controls and processes across five certification levels, ranging from “Basic Cybersecurity Hygiene” to “Advanced”.
The New CMMC 2.0 Model
With the implementation of CMMC 2.0 progression model, the DoD introduces the following changes to the CMMC Model relative to CMMC 1.0:
Removing two progressive levels (level 2 and 4)
Eliminating the maturity processes and CMMC 1.0 level unique practices
What is the goal of CMMC 2.0?
Simplify the process of becoming CMMC certified / compliant to enhance clarity on cybersecurity regulations, policies, and contract requirements
Narrow the focus on third-party audit mandates and the most advanced cybersecurity measures of organizations
Increase DoD oversight of professional and ethical criteria regarding third-party assessments to better safeguard sensitive federal information
Total Controls: 17
CMMC Practices / Requirements: The minimum CMMC certification level requires basic cyber security measures and only requires that processes are performing, at least in the ad hoc manner. The 17 controls, or practice requirements, are equivalent to the 15 practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21, and are also equivalent to 17 practices drawn from NIST SP 800-171 Rev 1.
Total Controls: 130
CMMC Practices / Requirements: A level 2 CMMC certification requires that an organization must maintain and resource a plan encompassing all stated activities.
There are a total of 130 controls at level 2, which includes the coverage of all practices from NIST SP 800-171 Rev 1, and 20 additional practices protecting controlled unclassified information (CUI) and ensuring cyber security methodologies are moderately resilient and comprehensive.
Total Controls: 171
CMMC Practices / Requirements: Level 3 requires prioritized acquisitions that would require independent assessment and non-prioritized acquisitions that would require annual self-assessment and annual company affirmation”
CMMC Level 3 will only require the controls in NIST SP 800-172.
This aligns CMMC with other regulations which require NIST SP 800-171. For example, a Federal level notice from ISOO states that only NIST SP 800-171A will be used for the assessment of non-federal organizations holding CUI.
How to become CMMC certified?
To become CMMC certified and achieve compliance, Defense Industrial Base (DIB) companies must be audited and assessed by a certified third-party assessment organization (C3PAO) or an accredited individual assessor.
If you’re seeking to become CMMC compliant, here are a few steps to consider before getting audited:
Identify the desired maturity level you want to be certified for
Find an available C3PAO or an accredited individual assessor
Note that specific findings audited by the C3PAO will be confidential. Any level achieved will be made public knowledge.
Steps to CMMC Certification
The CMMC Interim Rule’s overall objectives are to instill that CMMC is the new cybersecurity framework for DoD contracts while instructing contractors to perform a self-assessment based on NIST 800-171 and reporting their score to the DoD.
Interim Rule Self-Assessment levels are defined in the interim rule as follows:
This is a self-assessment done by contractors using the DoD Assessment Methodology. This could go two ways: (1) If an organization has implemented all 110 controls outlined in NIST SP 800-171, then the score received and recorded in the SPRS Basic Assessment is 110. (2) If an organization has not implemented all 110 controls, then the Assessment Methodology is used to figure out that score. Each unimplemented control is assigned a specific value within the Assessment Methodology and is to be subtracted from the total score of 110. Within 30 days of completing the assessment, contractors must post their score and the date by which they will achieve full compliance in SPRS. Until then, the assessment resulting score is a confidence level of “Low”.
At this level, an assessment is conducted by the Government in which access to all systems and personnel needed to perform this assessment must be provided by the contractor. This assessment includes a review of the contractor’s Basic Assessment, as well as, a thorough document review, and discussions with the contractor for additional information as needed. The assessment resulting score is a confidence level of “Medium”.
The assessment at the highest level combines both the Basic and Medium Assessments while also includes the verification, examination, and demonstration of the contractor’s system security plan, validating the implementation of NIST SP 800-171 security requirements. The assessment resulting score is a confidence level of “High”.
Avertium, a CMMC Registered Provider Organization (RPO) and pending C3PAO, is an expert in CMMC Assessment, Readiness, and Program Creation. Avertium will get to know your organization, set a baseline maturity index, and work with you tailoring a path to compliance and security program improvement that fits the way you do business. Learn more about our CMMC service offering and contact us, today.