The CMMC Framework Explained: How to Prepare Now for Compliance in 2023

The US Department of Defense (DoD) released its Cybersecurity Maturity Model Certification (CMMC) framework in January 2020. Since then, the CMMC framework has undergone significant changes based on public comments and internal assessments. As you may imagine, small and mid-sized businesses have been vocal in their concerns regarding the cost of compliance as well as the complexity of the evolving CMMC framework.

As a result of public comments, the DoD released CMMC 2.0, which modified the CMMC 1.0 framework to ease the financial burden on SMBs without compromising security. CMMC 2.0 is expected to be effective in May 2023. By July 2023, the DoD expects to have CMMC requirements as part of requests for proposals (RFPs) and subsequent contracts. Any company wanting to do business with the DoD must comply with CMMC 2.0.

What is CMMC?

CMMC is a cybersecurity framework that measures an organization’s security posture. Its focus is the security of controlled unclassified information (CUI) and federal contract information (FCI) possessed by a DoD contractor. The original CMMC framework incorporated standards from other organizations, such as NIST and DFARS, into a single framework. CMMC 2.0 is more closely aligned with NIST standards.

CMMC and the DoD Supply Chain

According to Verizon’s 2022 DBIR, cyber attacks on supply chains increased dramatically in 2022. Whether the attacks were financially or politically motivated, the bad actors leveraged third-party vulnerabilities to infiltrate the supply chain. The Colonial Pipeline attack resulted from a single compromised password over a virtual private network (VPN) accessing their infrastructure remotely.

For the DoD, such compromises reinforced the need for a cybersecurity framework throughout its supply chain. That’s why any organization that supplies the DoD with raw materials, finished goods, components, and consulting or professional services must comply with CMMC 2.0 requirements. Any company or person contributing to the US defense system falls under the CMMC 2.0 framework.

CMMC Framework

A cybersecurity framework is a document or group of documents that stipulates the best practices to follow to mitigate cybersecurity risks. They are designed to minimize a company’s exposure to cyber attacks. The CMMC follows a maturity model rather than a full compliance framework. A maturity model uses a phased approach to implement a security program, while a full compliance model requires comprehensive security standards to be in place before granting compliance.

The phased approach allows organizations to establish robust security defenses over time without compromising protected data. As businesses move through the levels, they develop stronger protections that reduce the risk of compromise.

How is CMMC 2.0 Different?

CMMC’s cybersecurity regulations reduced the certification levels from five to three and its components from four to three. The following three components are part of the new CMMC framework:

• Practices. A practice indicates the implementation of a process that complies with cybersecurity regulations.
• Domains. The term refers to areas of cybersecurity as defined in NIST SP 800-171.
• Capabilities. These are the specific functions to be performed in compliance with government regulations.

Although processes are no longer a part of the framework, its intent still exists as part of practices. One of the first capabilities of a practice is to define it, which is the same as documenting a process. What are the differences between CMMC 1.0 and 2.0?

Levels

CMMC 2.0 has three certification levels instead of the original five. Levels two and four of CMMC 1.0 were removed as they were primarily transition levels. The new CMMC levels are based on the protected information a company possesses, as discussed below.

Level 1

This entry-level is considered foundational in that it applies to organizations that must protect FCI data. Level 1 aligns with the 17 controls found in FAR 52.204-21. It focuses on privacy regulations and limiting access to FCI data to authorized users.

A level 1 certification requires an annual self-assessment.

Level 2

Level 2 is considered advanced and focuses on organizations that have CUI data. Level 2 replaces the original domains with the 14 domains and 110 security controls in NIST SP 800-171. Level 2 requirements now align with the NIST standards.

Level 2 certification requires a third-party assessment every three years with some programs requiring an annual self-assessment.

Level 3

The third level is labeled expert and focuses on Advanced Persistent Threats (APTs). Companies working with CUI on high-priority programs. Although precise security requirements are in the rule-making phase, CMMC compliance will include NIST SP 800-171 and a subset of NIST SP 800-172. 

Level 3 certification requires a government-led assessment every three years.

Domains

CMMC 1.0 listed 17 cybersecurity domains with at least 100 capabilities. In CMMC 2.0, the domains were reduced to 14 to align with NIST SP 800-171. The 2.0 domains include:

• Access Control (AC). Organizations must limit the number of authorized users that can access protected information.
• Audit and Accountability (AU).  IT departments must perform security audits to ensure that protected data is secure. Part of the requirement is maintaining access logs.
• Awareness and Training (AT).   Companies must provide training to employees on security risks.
• Configuration Management (CM).  Contractors must have change management processes in place that compare modifications against a baseline configuration.
• Identification and Authentication (IA). IT must authenticate all entities before granting access.
• Incident Response.   Companies must have an incident response system in place for detecting, analyzing, and responding to security events.
• Maintenance (MA).  Organizations should have protocols in place for maintaining hardware and software, including access control procedures.
• Media Protection (MP).  Businesses must establish processes that ensure that all media is protected and properly disposed of when no longer in use.
• Personnel Security (PS).  Hiring policies should include evaluating personnel to prevent unauthorized access to CUI.
• Physical Protection (PE).   Physical access to computer systems should be limited and controlled.
• Risk Management (RM).  Contractors must include risk assessments of their supply chains.
• Security Assessment (CA).  Technical staff should perform code reviews and ensure security controls are in place.
• Systems and Communications Protection (SC).  Businesses must define security requirements for systems and communications.
• System and Information Integrity (SI).  Organizations must perform network and system monitoring to identify flaws and vulnerabilities.

The three domains removed from CMMC 1.0 were asset management, recovery, and situational assessment. 

Capabilities

Capabilities are the specific tasks that should be completed under each domain. For example, the audit and accountability domain has the following capabilities:

• Define audit requirements
• Protect audit information
• Perform auditing
• Review audit logs

Under NIST SP 800-171, there are 110 capabilities under the 14 domains. The number of capabilities under a specific domain varies from one to five. 

Affirmations

CMMC 2.0 requires an annual affirmation. A senior company official must sign the affirmation. The Department of Justice (DOJ) announced its intent to hold companies accountable if they knowingly misrepresent their cybersecurity posture.

How to Prepare for CMMC 2.0?

The DoD is in the rule-making process of the CMMC implementation. The DoD expects that CMMC 2.0 will be effective in May 2023 and start appearing in RFPs and contracts within a few months. Given that the time estimate for DoD compliance is nine to 24 months, any organization wanting to do business with the DoD should be in the process of assessing their CMMC compliance right now.

Assessments

Organizations should determine the level of certification they require. If a company does not handle CUI or FCI, there is no need for CMMC certification. However, businesses that handle FCI will need to meet Level 1 requirements.

• Level 1 does not require third-party certifications. Instead, companies must stipulate the technology, facilities, and external providers that process, transmit, or store FCI. They must perform an annual self-assessment and affirm that the requirements were met.
• Level 2 requires a third-party assessment by a CMMC Third Party Assessment Organization (C3PAO) every three years. Self-assessments will be required with affirmations in the years that a C3POA-conducted assessment is not performed.
• Level 3 requires compliance with NIST SP 800-171 and a subset of NIST SP 800-172. Government-conducted assessments will be performed every three years.

Once a contractor has determined the required certification level, they should develop a migration and system security plan.

Migration and Security Plan

Under CMMC 2.0, contractors can use Plans of Action and Milestones (POAMs) to meet non-critical security controls in very limited circumstances. A POAM is a plan that specifies what measures a company will take to correct a non-compliant capability at the time of an assessment. These measures might include:

• Training employees
• Harden business continuity plans
• Devising new process for security testing
• Conduct due diligence on third-party providers
• Create incident response plans
• Implement new access control policies

The acceptance of POAMs in lieu of compliance requires that the company provide sufficient documentation for DoD auditors.

Internal Audits

For companies looking for a Level 1 certification, an internal audit before a self-assessment can identify weaknesses that should be corrected. Waivers and POAMs will be granted on a limited basis and only for non-critical requirements. For most organizations, addressing deficiencies is a better option.

Businesses seeking a Level 2 or 3 certification should conduct internal audits to ensure compliance before an external assessment. Failing an external audit can be costly. Not only will the vulnerabilities require correction, but resources will be needed to conduct internal testing before a second assessment is performed. Each iteration of external testing consumes valuable resources.

Finding a Partner

Understanding CMMC 2.0 compliance can be challenging. Even in its streamlined form, there are still 17 domains and 100s of capabilities. Complying with some requirements may mean conducting vulnerability and penetration tests. It may mean deploying new technology. Knowing how to address these cybersecurity concerns can be overwhelming.

With CMMC expected to go into effect during the first half of 2023,  it’s time to look at your cybersecurity posture to ensure you can comply with DoD’s privacy regulations. Whether you are an existing contractor or want to become one, it is time to start internal assessments to identify your vulnerabilities and develop a plan to correct them. 

Let’s talk soon to create your personalized plan to ensure you, your team, and your business are ready for CMMC 2.0.