September 03, 2024 3 Minute Read

The Cybersecurity Maturity Model Certification (CMMC) framework is undergoing a significant transformation with the introduction of CMMC 2.0. This revamped approach aims to streamline compliance, reduce costs, and enhance the overall security posture of the defense industrial base (DIB).

CMMC is a framework developed by the U.S. Department of Defense (DoD) to assess and certify the cybersecurity posture of its contractors and subcontractors. It's designed to protect sensitive unclassified information (CUI) that is shared with these partners.

CMMC’s key purpose is to ensure that defense contractors have adequate cybersecurity measures in place to protect sensitive information and the regulation applies to the DIB, which includes contractors and subcontractors involved in DoD projects. The CMMC requires contractors to undergo a third-party assessment to achieve a specific CMMC level and it has five maturity levels, ranging from basic cybersecurity hygiene (Level 1) to advanced practices (Level 5).

CMMC 2.0: A Simplified Approach

The initial CMMC framework was complex and to address these challenges, the DoD introduced CMMC 2.0. This revised version simplifies the model by reducing the number of maturity levels to three; aligning requirements with existing cybersecurity standards like NIST; and focusing on protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC 2.0 Enforcement Timeline

CMMC 2.0 is expected to be fully implemented in stages over the next few years, although the exact timeline may still fluctuate, here's a general overview:

• Q1 2025: The Department of Defense (DoD) aims to start including CMMC requirements in new contracts.
• Phased Rollout: The full implementation of CMMC 2.0 across all defense contracts is projected to take around three years, with the goal of completion by October 1, 2025.

It's important to note that while the full implementation might take time, the DoD is already taking steps to incorporate CMMC requirements into the procurement process.

Let's delve into the key changes being incorporated into CMMC 2.0:

Key Changes in CMMC 2.0

• Reduced Maturity Levels: CMMC 2.0 simplifies the compliance process by reducing the number of maturity levels from five to three:
  • Level 1 (Foundational): Focuses on basic cyber hygiene practices and aligns with Federal Acquisition Regulation (FAR) 52.204-21.
  • Level 2 (Advanced): Requires the implementation of National Institute of Standards and Technology (NIST) SP 800-171 standards, which are more rigorous and aimed at protecting Controlled Unclassified Information (CUI).
  • Level 3 (Expert): Requires compliance with all 110 controls in NIST SP 800-171 and additional cybersecurity measures.
• Phased Implementation: CMMC 2.0 introduces a phased implementation timeline, allowing organizations ample time to prepare for compliance. The rollout is expected to span 2.5 years, with the first phase commencing in early 2025.
• Self-Attestation for Level 2: In a bid to reduce compliance burdens, CMMC 2.0 permits self-attestation for some organizations handling CUI at the Level 2 maturity level. This means they can assess their compliance without undergoing a third-party audit.
• Intensified Focus on Third-Party Risk: Recognizing the importance of supply chain security, CMMC 2.0 places a greater emphasis on assessing and managing third-party risk. External service providers (ESPs) will be required to achieve CMMC certification at the same level as their defense clients.
• Alignment with NIST 800-171: CMMC 2.0 continues to align with NIST 800-171, ensuring consistency with other cybersecurity standards.

Benefits of CMMC 2.0

CMMC 2.0 offers several advantages. It simplifies the compliance process, reducing the burden on many organizations through streamlined maturity levels and self-attestation options. Additionally, by focusing on critical cybersecurity controls, CMMC 2.0 enhances overall organizational security posture. Furthermore, the increased emphasis on third-party risk management strengthens the defense supply chain against cyber threats.

Preparing for CMMC 2.0

While the final CMMC 2.0 rule is still under development, organizations can take proactive steps to prepare. Understanding the new requirements is crucial. Stay informed about the latest updates and how they will impact your organization. Additionally, assessing your current cybersecurity posture is essential. Identify weaknesses in your existing security controls and develop a plan to address them.

Furthermore, building relationships with qualified CMMC assessors can be beneficial, especially if a third-party assessment is required. Finally, incorporating cybersecurity into your business culture is vital. Foster a workplace where cybersecurity is a priority and employees understand their role in protecting sensitive information.

CMMC 2.0 represents an evolution of the DoD’s cybersecurity requirements, balancing the need for strong protections with the practicalities of implementation. By streamlining certification levels, allowing for self-assessments, aligning with existing standards, and introducing a phased implementation, CMMC 2.0 aims to enhance the security of the defense supply chain while reducing the burden on contractors. As these changes take effect, contractors will need to stay informed and proactive in their cybersecurity efforts to ensure compliance and protect sensitive information.

Trustwave Government Solutions is committed to supporting organizations in their cybersecurity journey. Our comprehensive government solution offer expert guidance, assessment services, and tailored cybersecurity strategies to build a stronger, more secure future.

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from Trustwave.