In 2019 the Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) and we are expecting the next iteration (CMMC 2.0) to be published for public review soon. The final version should be published early in 2024 and it will go into effect in Q1 of 2025. These timelines are critical for any organization that wants to do business with the DoD as they will need to demonstrate compliance prior to contract award.
What Is Cybersecurity Maturity Model Certification (CMMC)?
Government agencies are one of the most attacked entities for cyber criminals and nation-state actors. One of the common attack paths for the DoD is through the supply chain, which consists of hundreds of thousands of contractors and subcontractors that deliver products and services. The CMMC is a framework created to protect the DoD and Defense Industrial Base (DIB) from these attacks. Per the Department of Defense, “The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information (CUI).” This also applies to Federal Contract Information (FCI) as well.
The Cybersecurity Maturity Model Certification Framework
The original framework was introduced with five certification levels although the new model reduces the certification levels to three.
Reducing the CMMC Framework from Five to Three
The new CMMC certification requirements are designed to simplify how companies get certified, bring down the cost of assessment, and provide more ways for suppliers to attain certification. In a nutshell:
- Level 1 remains unchanged (Basic)
- Level 3 has become Level 2 (Advanced)
- Level 5 bas become Level 3 (Expert)
Fewer third-party audits
Some significant changes include fewer third-party audit requirements, a huge expenditure for most companies. Now, those in Level 1 and some in Level 2 only need to self-assess, and the rest in Level 2 only need to audit their contractors once every third year.
Now, under certain circumstances, a contractor may submit a Plan of Action and Milestones (POAM) in lieu of being fully compliant before being awarded contracts.
What Stayed the Same?
Significantly, contractors must still comply with all Controlled Unclassified Information (CUI) mandates within DFARS (Defense Federal Acquisition Regulation Supplement).
CMMC 2.0’s Three Levels
Level 1 (Foundational)
Level 1 consists of 17 security domains. These are the same as Level 1 of the original version of the CMMC. A notable change is that organizations can now self-assess annually which reduces the cost of assessment. This level is sufficient for organizations that only handle Federal Contract Information (FCI)
Level 2 (Advanced)
Level 2 is required for organizations that handle Controlled Unclassified Information (CUI). This level consists of 110 security domains and mirrors NIST SP 800-171, Rev. 2. Assessments are required every 3 years by a third party for critical national security information. However, there are select programs where organizations may self-assess annually.
Level 3 (Expert)
Level 3 is aligned with NIST SP 800-172 and requires assessment every three years led by the government. Compliance at this level is a matter of national security so organizations must have a proactive approach to protect CUI. This includes having a robust set of controls and processes as well as continuously reviewing and improving.
Fortra and CMMC 2.0
Fortra’s portfolio of government-ready solutions is poised to help contractors be CMMC-compliant by the 2025 deadline.
Fortra’s Tripwire Enterprise provides real-time change intelligence and threat detection along with proactive system hardening and automated enforcement. It also provides audit-ready reporting to ensure compliance requirements are being met.
Protecting CUI is a key mandate for achieving CMMC. Fortra provides a modular solution for protecting CUI. This includes data classification to ensure standardized sensitivity labeling, data loss prevention to block leakage of sensitive data, and secure collaboration (i.e., digital rights management) to encrypt and control access of sensitive files needing to be shared with your suppliers.
Preparing for Cybersecurity Maturity Model Certification
Staying competitive and minimizing costs requires preparation. Organizations need to do a self-assessment to surface gaps and create a plan to remediate them. They also need to identify what level of CMMC certification is required for the product and/or service they want to deliver because the organization may want to achieve Level 2, but only require Level 1, which would be a much faster path to compliance.
Nonetheless, this process could still take a year to 18 months to complete, so the time to get started is now.
Let’s Do This Together
Speak to one of our professionals to learn more about all the ways Fortra can help you become CMMC compliant.