What is the CMMC 2.0 and what does it mean for a small business that wants to do work for the government?

On October 21, 2016, the Department of Defense (DoD) issued its Final Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) and imposing safeguarding and cyber incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information (CDI). The final DFARS clause, 252.204-7012[2] (Safeguarding Covered Defense Information and Cyber Incident Reporting), specifies safeguards that contractors and suppliers must implement to include cyber incident reporting requirements and additional considerations for cloud service providers.

DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

(2) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government …, the following security requirements apply:

(i) … the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (available via the internet at http://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Contracting Officer.

(ii)(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. …

Because of the slow adoption rate of the DFARS 252.204-7012 regulation, the Department of Defense released the CMMC to ensure appropriate levels of cybersecurity controls, and processes are adequate and in place to protect specify DoD information that resides on DoD contractor systems. 

To safeguard sensitive national security information, the Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base’s (DIB) sensitive unclassified information from frequent and increasingly complex cyberattacks. 

At a high level the CCMC program is derived from the full set of NIST 800-171 standards. With its streamlined requirements, however, CMMC 2.0:

• Simplifies compliance by allowing self-assessment for some requirements

• Applies priorities for protecting DoD information

• Reinforces cooperation between the DoD and industry in addressing evolving cyber threats.

With the CMMC Assessment Methodology segments finally mandated, the following are the proposed assessment targets, broken into three assessment levels, along with the responsible entity for validating the assessment rating.

• Level 1:  17 Practices; Self-assessment completed by the contractor prior to contract award

• Certification for CMMC Level 1 will require contractors to meet implementation of 17 Cybersecurity Practices, tailored towards basic information protection and cyber hygiene. Level 1 organizations will have to show that the 17 practices are routinely and uniformly applied across the business.   

• In addition to meeting these practice requirements, verification of Maturity Level 1 compliance will be performed through self-attestation.  This Self-Attestation must by signed by senior level company official.

• Level 2: 110 Controls (Aligned with the NIST 800-171); Self and Assisted Assessment conducted by a Contracted 3rd Party Assessor Organization (C3PAO)

  • • Certification for CMMC Level 2 will require contractors to meet implementation of all 110 Cybersecurity Practices, in alignment with NIST 800-171 Framework.  Like Level 1, organizations will have to show these designated practices are routinely and uniformly applied across the business.   

    • To verify the implementation of Maturity Level 1 compliance, annual Self-Attestation will be required by a senior company official, with the exception of CUI information pertaining to ‘critical national security programs.  

    • Compliance with national security level programs and accompanying CUI information, will necessitate a annual verification ‘assessment’ by a Certified 3rd Party Audit Organization (also known as C3PAO). Assessments will be valid for three years unless there are issues requiring a reassessment sooner.

• Level 3: 110+ Controls (Aligned with the NIST 800-172); Assessment conducted by government officials

  • • The specific subset of programs is still being designated by the DoD Acquisition & Sustainment.  Certification for CMMC Level 3 will require contractors to meet implementation of enhance 110+ Cybersecurity Practices, which includes all 110 controls in NIST 800-171 as well as a subset controls from NIST 800-172.  

    • Level 3 organizations will have to verify that the 110+ practices are routinely and uniformly applied across the business, through a government led assessment.  

    • The specific government auditing/assessment organization that will be tasked with Level 3 Assessments, has not been determined at this time.

[1] Office of the Undersecretary of Defense (OSD) CMMC portal. https://dodcio.defense.gov/CMMC/ (Accessed Feb 16, 2023)

[2] https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting. (accessed Feb 16, 2023)

Confused by all these requirements, or just want someone to help you navigate?

TECHFORGE Solutions brings critical expertise to the table to simplify the process of becoming CMMC (or 800-171) compliant. We can provide easy to follow procedures, expertise in managing the assessment, and delivering a robust set of documentation you can use for any client engagement. TECHFORGE Solutions provides the critical SME guidance, managed processes, and proven workflow tools for capturing, evaluating, and documenting outcomes to get you compliant.

Whether you need executive level strategic consulting from a part-time CISO in a box, on-site or remote security support, 3rd party assessment or penetrating testing, or a fully outsourced team of 24x7x365 security operations center (SOC) support; TECHFORGE can help.