Blog

The Basics of CMMC 2.0 for DoD Contractors

Written by Waits Sharpe | Jul 28, 2022 8:58:05 PM

The Cybersecurity Maturity Model Certification (CMMC) can be a complex topic that may be difficult to understand amidst all of the talk and chatter about "who needs to comply" and "rules you need to follow". Fortunately, understanding the fundamentals of CMMC can be extremely simple. Continue reading to learn the basics of CMMC 2.0 and how it will impact DoD contractors.

Update 10/15:  The final CMMC 2.0 rule is here  The Cybersecurity Maturity Model Certification has been officially published into the federal register as a final rule on October 15th. What does this mean for your organization? With this final rule, contractors must take immediate action to protect CUI and align with regulatory requirements!  If your business needs guidance on navigating the complexities of CMMC 2.0, CorpInfoTech is here to help.

What is CMMC 2.0 (for DoD Contractor)

The Cybersecurity Maturity Model Certification or CMMC is a framework funded and developed by the Department of Defense (DoD) to provide a standardized set of regulations to bolster contractors' security posture. The primary directive of CMMC is protect any controlled unclassified information (CUI) or federal contact information (FCI) given over to non federal agencies or organizations contracted by the DoD or working within the Defense Industrial Base (DIB).

Many organizations may wonder why these regulations are such a big deal? Over 300,000 organizations work within the DIB making its attack surface incredibly large. With the amount of information being transmitted and stored between the federal government and private businesses it's no wonder bad actors seeks these organizations specifically. This is why the CMMC was established, to make sure that everyone is on the same page in regards to cybersecurity.

Depending on your organizations contract there are varying levels of maturity that you will have to comply to. The first iteration of CMMC had 5 maturity levels ranging from the most basic security controls to the most advanced. CMMC 2.0 consolidates the 5 levels of maturity into 3: Foundational, Advanced, and Expert.

The foundational level includes some of the most basic security practices including MFA, complex passwords, and security awareness training. All levels however are built on the foundation of NIST SP 800-171 Rev. 2, a framework of over 100 controls developed by the National Institute of Standards and Technology (NIST).

Depending on your contract you may have to comply with many of these several maturity levels. The foundational level requires you to adhere to at least 17 practices while also submitting an annual self-assessment. While level 1 doesn't require a third party assessment it does require a senior executive to sign off on the security practices put in place within an organization. This puts direct responsibility for the failure to comply on an individual rather than an entire organization. This allows for the DoD to hold organizations accountable easier if their is a person's name attesting the the security of their organization.

The advanced and expert levels require triannual third party assessments and government led assessments respectively. Once again, all of these controls find their roots in NIST 800-171.

Key Players in CMMC

To create and implement such a detailed security framework there has to be a number of entities and groups working together to make it happen. Here is just a few of the key players within CMMC:

  • CMMC - AB: The CMMC Accreditation Body is responsible for the implementation, funding and creation of the controls listed within the CMMC 2.0 framework.
  • C3PAO: Certified third-party assessor organization's or organizations the CMMC-AB has accredited and given approval to conduct CMMC assessments and attest to organizations seeking CMMC compliance.
  • OSCs: Organizations seeking certification are as the name implies, non federal agencies looking to sign a contract that requires a certain level of CMMC compliance. These organizations work with C3PAO's to ensure they have implemented the necessary controls to become CMMC compliant.

These are just a few of the common acronyms and organizations you may hear about when researching the CMMC model. If you are an organization seeking certification than CorpInfoTech is willing to help ensure your business becomes CMMC compliant!

The CMMC Compliance Timeline

So where does your organization start when wanting to become CMMC compliant? The answer depends on where your organization already is on the cybersecurity pathway.

Has your organization already implemented some of the most fundamental security practices? If so, this means you may already be maturity level 1 compliant. If you are committed to implementing the controls outlined in NIST 800-171 you are much farther along the compliance pathway. In order to have a good grasp of where your organization stands a security assessment may be needed. From here submitting a self-attestation or hiring a C3PAO will be your next step. Taking the advice of third party auditors and implementing the necessary controls will make sure you are compliant by the time CMMC 2.0.

If you believe your organization may have to comply with CMMC 2.0 regulations then feel free to contact CorpInfoTech today to see what steps you need to take in becoming compliant!