What is CMMC 2.0 Compliance? – A Beginner’s Guide

What is CMMC 2.0 Compliance? – A Beginner’s Guide

0 Comments

What is CMMC compliance?

The United States Department of Defense (DoD) established the Cybersecurity Maturity Model Certification (CMMC) program to assess defense contractors’ cybersecurity skills, readiness, and competence. The framework is a combination of procedures, guidelines, and inputs from existing cybersecurity standards like the National Institute of Standards and Technology (NIST) , Federal Acquisition Regulation (FAR), and Defense Federal Acquisition Regulation Supplement (DFARS) at a high level.

 The CMMC program’s main purpose is to increase the trustworthiness and security of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) maintained by Federal contractors. Cyber security guidelines for enterprises in the defense industrial base are part of the CMMC program. CMMC gives the Department assurance that contractors and subcontractors are following DoD cybersecurity requirements by embedding cybersecurity standards into procurement programs. 

 Malicious actors and non-state groups are increasingly targeting the Defense Industrial Base (DIB) with increasingly complicated cyberattacks. The DoD’s main objective is to dynamically improve DIB cybersecurity to address these emerging threats, as well as to safeguard the information that supports and enables our fighting forces. CMMC is an important part of the Department’s large-scale DIB cybersecurity initiative.

Below is a brief timeline of CMMC related events:

  • On January 31, 2020, the CMMC program was unveiled 
  • DoD began issuing a limited number of requests for information with CMMC standards in September 2020 
  • It is predicted that by 2026, CMMC will be a prerequisite of all new DoD requests for proposals

What is the purpose of implementing CMMC? 

Before the CMMC, all contractors handling sensitive government data and information (CUI) were required to follow the standards outlined in DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The criteria demanded adherence to NIST 800-171 cybersecurity procedures, which the Defense Industrial Base (DIB) would self-certify as being met.

The prior self-attestation strategy, however, was deemed insufficient to secure the defense supply chain from potential IP theft and cyber intrusions. Malicious cyber activity is predicted to cost $57 billion per year in economic costs, and cyber breaches could potentially endanger the US economy and national security

In recent years, attackers have shown a rapid expansion in complexity and operational security skills. Significant and persistent attacks on defense industries’ networks and systems are emerging. The CMMC was established to boost the Defense Industrial Base’s cybersecurity capabilities (DIB). It guarantees that contractors protecting sensitive information on behalf of the government follow industry standards. 

What are the 3 different levels of CMMC 2.0?

The CMMC framework consists of the security requirements from NIST 800-171 Rev 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and a subset of the requirements from NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. The model framework organizes these practices into a set of domains, which map directly to the NIST 800-171 Rev 2 families. There are three levels within CMMC- Level 1, Level 2, and Level 3.

CMMC levels and associated sets of practices are cumulative across domains. To be more specific, in order to reach a certain CMMC level, an organization must also demonstrate achievement of the lower levels that came before it. If an organization does not attain its goal level, it will be certified at the highest level for which all applicable procedures have been met.

The three levels are scaled and built on the requirements of the previous levels. Each level involves compliance with lower-level regulations as well as the implementation of additional processes to apply specified cybersecurity-based procedures.

CMMC, Model, Assessments, Levels, Security, Cybersecurity, DoD

The three levels of CMMC are:

  • Level 1
    Includes the FAR Clause 52.204-21’s fundamental safeguarding standards for FCI. Only activities that adhere to the basic safeguarding standards outlined in 48 CFR 52.204-21, usually referred to as the FAR Clause [3], are included in Level 1, which focuses on the protection of FCI. 
  • Level 2
    Covers the security standards for CUI as outlined in NIST SP 800-171 Rev 2 [3, 4, 5], as well as the DFARS Clause 252.204-7012 [3, 4, 5]. The 110 security standards listed in NIST SP 800-171 Rev 2 [4] are covered by CMMC Level 2, focusing on the protection of CUI.
  • Level 3
    Measures for minimizing the risk of Advanced Persistent Threats (APTs) Information on Level 3 will be available at a later date and will include a subset of the NIST SP 800-172 [6] security standards.

Contractors and vendors must meet the specifications for procedures and processes associated with each certification level across these 14 domains that align with the families specified in NIST SP 800-171 in order to reach the targeted level.

• Access Control (AC) 

• Awareness & Training (AT) 

• Audit & Accountability (AU) 

• Configuration Management (CM) 

• Identification & Authentication (IA) 

• Incident Response (IR) 

• Maintenance (MA) 

• Media Protection (MP) 

• Personnel Security (PS) 

• Physical Protection (PE) 

• Risk Assessment (RA) 

• Security Assessment (CA) 

• System and Communications Protection (SC) 

• System and Information Integrity (SI) 

Conclusion

CMMC independently certifies that a company follows best practices in cybersecurity processes and operations. There are three levels to the CMMC framework. Starting with fundamental safeguarding of FCI at Level 1, advancing to wide protection of CUI at Level 2, and finally minimizing the risk of Advanced Persistent Threats (APTs) at Level 3. The CMMC framework is reinforced by a certification scheme that verifies the practices’ implementation. 

The CMMC framework was developed in partnership with a community of DoD stakeholders, UARCs, FFRDCs, and the DIB sector to fulfill the DoD’s demands for unclassified information protection during the purchase and maintenance of products and services from the DIB. 

Since CMMC is meant to grow with an organization’s maturity level, it may be used to benchmark and improve a company’s cybersecurity capabilities. These enhancements make information more secure while also improving network and system best practices. Organizations gain from upgrading their systems and processes since the repercussions of a cybersecurity breach can be severe.

This concept is one of several initiatives being pursued by the DoD and industry to improve the security of the DIB sector. These activities are critical in laying the groundwork for future DoD acquisitions by establishing cybersecurity as a basis. 

If your organization functions as a defense contractor with the DOD, and deals with CUI and FCI, you must ensure that the CMMC level data protection requirements are met. Caplock Security offers a broad range of services and solutions to help organizations facilitate change, achieve their vision and optimize performance and productivity.

Read more from our CMMC Series:

Share this post

Author

Related Posts

Hardware Security Professionals Business Organizations Compliance Cybersecurity
09Nov

6 Tips for Hardware Security in 2022

Hardware security is crucial within an organization since the... read more

Healthcare tools, IT tools, Cybersecurity Healthcare
28Sep

Top 5 Cybersecurity Tools for Healthcare Organizations

With the help of the five cybersecurity solutions covered, vulnerabilities... read more

28Jun

Cybersecurity Experts Warn of Emerging Threat of “Black Basta” Ransomware

Cybersecurity experts warn of emerging threat "Black Basta" ransomware.... read more

Christmas Holiday Season Cybersecurity Threat Overview
14Dec

Holiday Season Cybersecurity Threat Overview

During the holiday season, businesses of all sizes see... read more

Employee Awareness Training Six Elements
25Nov

The 6 Essentials of Employee Security Awareness Training

The goal of cybersecurity awareness training & education for... read more

22Mar

U.S. Government Warns Companies of Potential Russian Cyberattacks

The U.S. government has again warned of possible cyberattacks by Russia... read more

Cybersecurity KPIs Metrics for Organization and Board Dashboard
09Dec

Top 5 Must Track Cybersecurity KPIs & Metrics

With Cyberthreats always growing and becoming more difficult to... read more

02Jun

ExpressVPN Removes Servers in India After Refusing to Comply with Government Order

Virtual Private Network (VPN) provider ExpressVPN on Thursday announced... read more

12Jan

NIST publishes updated draft guidance for engineers under Special Publication 800-160

NIST recently published updated draft guidance for engineers under... read more

10Jun

Weekly Cyber Roundup (June 10, 2022)

WEEKLY CYBER BYTES 📅 Mandiant and Lockbit have public display of... read more