What Is CMMC 2.0? A Guide to CMMC Compliance Requirements for Defense Contractors
If your company is a prime or subprime contractor for the Department of Defense (DoD), you’ve likely seen the letters “CMMC” a lot lately. That’s because the DoD is expected to complete the rulemaking process for CMMC 2.0 by November 2024.
What does that mean for your business, and how should you prepare? In this post, we cover everything you need to know about CMMC 2.0.
What is CMMC 2.0?
The first question many people have is, “What does CMMC stand for?” CMMC stands for Cybersecurity Maturity Model Certification. CMMC is designed to ensure that cybersecurity controls and processes adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.
CMMC 1.0 was finalized in 2020. CMMC 2.0 — expected in 2024 — is an updated framework with three control levels, as opposed to the five maturity levels in CMMC 1.0.
CMMC 2.0 requirements
With the CMMC 2.0 program, the DoD introduced several changes compared to the original version of the program. Most obviously, the model has been streamlined from five to three compliance levels that each correspond with existing, widely accepted cybersecurity standards. And while many organizations will require third-party assessment, many will be able to demonstrate compliance through self-assessment, reducing costs for these organizations. Additionally, the DoD will allow companies to receive contract awards with the creation of a Plan of Action & Milestones (POA&M) that describes how and when CMMC controls will be met.
The CMMC 2.0 model
The CMMC 2.0 framework organizes multiple cybersecurity standards and best practices into a set of practices and processes across three increasingly stringent levels. These practices and processes must be applied across 14 domains (i.e., control families):
- Access Control (AC)
- Awareness & Training (AT)
- Audit & Accountability (AU)
- Configuration Management (CM)
- Identification & Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
What are the levels of CMMC 2.0?
CMMC 2.0 Level 1 (“Foundational”) requirements
This level includes basic cybersecurity appropriate for small companies using a subset of universally accepted common practices that organizations must perform. Level 1 contractors are those that handle Federal Contract Information (FCI) but not CUI. One of the more significant changes from CMMC 1.0 to 2.0 is that Level 1 is now a self-assessment only, placing this responsibility on the organization itself. Level 1 includes the same 15 controls outlined in Federal Acquisition Regulation (FAR) 52.204-21.
CMMC 2.0 Level 2 (“Advanced”) requirements
Level 2 contractors are those that handle CUI. Processes at this level are maintained and followed, and there is a comprehensive knowledge of cyber assets. The DoD has pared down the 130 practices in the original CMMC Level 3 baseline to the 110 practices outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171. “Critical” handlers of CUI will need a third-party assessment by a CMMC Third Party Assessment Organization (C3PAO) for CMMC certification every three years. Level 2 processes must be documented and managed to protect CUI.
Note: The DoD’s definition of “critical” CUI has not yet been provided. The final rule will outline what CUI qualifies as critical.
CMMC 2.0 Level 3 (“Expert”) requirements
Level 3 is for organizations with the highest-priority programs with CUI. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level will replace what was formally known as CMMC Level 5. Level 3 will add additional requirements pulled from NIST 800-172 in addition to the Level 2 requirements. It is expected that organizations will be required to be assessed by the DoD directly every three years for Level 3 requirements.
CMMC 2.0 vs. NIST 800-171
CMMC 2.0 is influenced heavily by the requirements in NIST 800-171. CMMC 2.0 Level 2 essentially mirrors NIST 800-171. If your organization processes CUI and does business with the DoD, you are already required to implement NIST 800-171 under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.
Additionally, the DFARS Interim Rule went into effect in November 2020. The interim rule requires DoD contractors to self-assess their implementation of NIST 800-171 and report their score through the Supplier Performance Risk System (SPRS). Performing this self-assessment and remediating any identified gaps simulates what CMMC 2.0 certification will be like.
Who must comply with CMMC? Does the DoD require it?
Once finalized, CMMC 2.0 will be mandatory for all entities doing business with the DoD at any level who store, transmit, or process information that meets the standards for FCI or CUI. Prime contractors and their subcontractors will be required to meet one of the three CMMC trust levels and demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities. Initial award or continuance of a DoD contract will be dependent upon CMMC compliance.
No contractor organizations will be permitted to receive or share DoD information related to programs and projects without having completed the CMMC process. At the time that a contractor’s contract is up for renewal, they must be CMMC compliant.
CMMC 2.0 timeline
The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) started the CMMC process in March 2019. The predicted date for the CMMC 2.0 rulemaking process to be completed has shifted several times, but the timeline below provides a history of significant milestones in the project thus far.
- January 2020: Version 1.0 was finalized and a compliance checklist was released.
- June 2020: CMMC began appearing in requests for information (RFIs).
- September 2020: CMMC began appearing in requests for proposals (RFPs).
- November 2020: The DFARS interim rule became effective; the original five-year phase-in period began.
- March 2021: DoD initiated an internal review of CMMC 1.0.
- November 2021: CMMC 2.0 was announced.
- September 2022: Cyber AB, the CMMC accreditation body, established training and accreditation processes.
- December 2023: The CMMC program proposed rule was released.
- May 2024: DoD’s Regulatory Control Officer submitted a draft of the proposed DFARS rule to the Office of Information and Regulatory Affairs (OIRA).
- June 2024: 32 CFR 170, the rule finalizing the CMMC program, was submitted to OIRA for review.
- August 2024: The proposed rule for 48 CFR, the rule implementing the enforcement of the CMMC program into contract requirements was released
Has CMMC 2.0 been released?
The 32 CFR final rule has yet to be released, but rulemaking is expected to be complete by November 2024.
When will CMMC 2.0 certifications be available?
To obtain a CMMC Level 2 Certification, you will need to be assessed by a C3PAO. These Assessments can begin once the 32 CFR rule becomes effective, which is expected to be March/April of 2025.
When will CMMC 2.0 be required for DoD contracts?
The DoD will begin to add CMMC 2.0 requirements into contracts in a phased approach after the 48 CFR rule is finalized. As the proposed 48 CFR rule was published in August 2024, it’s anticipated that the phased rollout into contracts will begin Q2 of 2025.
Because CMMC is considered a “major rule,” it is subject to the Congressional Review Act, which gives Congress 60 days to act once it receives the rule. If the DoD wants CMMC effective in early 2025, it must reach Congress by mid-October. If not, it goes to the next session in January, delaying the effective date to March (more info here).
How much does CMMC certification cost?
CMMC assessment costs are very scope-dependent as different organizations will have different sensitive data flowing through different numbers of assets. The DoD has assumed for the phased rollout of CMMC that roughly 35% of DIB contractors will require a certification assessment for Level 2, with the number of entities increasing incrementally over seven years (see p. 89085-89086 of Federal Register Vol. 88, No. 246).
With that said, the potential loss in business is too large for most organizations to forego certification. As mentioned earlier in this article, CMMC compliance will be required for all DoD prime and subprime contractors once the rule is finalized. For contractors that fall in CMMC Levels 2 and 3 and handle critical CUI, third-party certification is mandatory to continue doing business with the DoD.
Next steps: How to prepare for CMMC 2.0 certification
- Determine your organization’s CMMC level. Level 1 is for contractors and subcontractors processing FCI. Level 2 is for organizations processing CUI. Only organizations working on the DoD’s most sensitive programs will be expected to achieve Level 3 certification.
- Review the assessment guide for your CMMC level. The CMMC Level 1 Self-Assessment Guide and Level 2 Assessment Guide explain how contractors will be evaluated when CMMC is launched and organizations are pursuing certification. Unfortunately, there is not yet an assessment guide for CMMC Level 3.
- Work with a tech-enabled organization to secure your data. Cybersecurity solutions like Summit7, RISCPoint, and PreVeil can help you secure your FCI and CUI to prepare for CMMC compliance.
- Select a C3PAO and complete a readiness assessment. Don’t wait until the rule is finalized to find a C3PAO. Start validating your organization’s readiness now, as you will need time to remediate any gaps found.
- Sign a contract for CMMC certification ASAP. Once CMMC 2.0 certification starts showing up in DoD contracts, organizations that didn’t plan ahead will be scrambling to find a C3PAO and get in line for assessment.
Why sign a CMMC certification contract now?
By getting under contract for CMMC certification now, you can get in the queue before other organizations rush to meet the compliance deadline. When CMMC is finalized, prime contractors will start asking subcontractors for their status toward compliance. It can take up to 12 months for contractors to get ready for a CMMC assessment. In other words, once CMMC shows up in contract requirements, it will be too late to get started.
Given the large number of organizations (roughly 80,000) that will need certification and the fact that there are only 56 C3PAOs that can perform assessments, organizations that don’t get ahead could get left behind.
Don’t wait — get ready for CMMC 2.0 now with A-LIGN
A-LIGN is one of only a few globally recognized cybersecurity and privacy compliance providers that offer a single-provider approach for organizations. A-LIGN is an accredited C3PAO and FedRAMP 3PAO with the ability to work with any organization, from small businesses to the largest global enterprises. With our extensive experience across NIST frameworks and 1000+ federal assessments completed, A-LIGN is the industry leader for cybersecurity compliance.
No matter where you are in your CMMC journey, A-LIGN is here to help. Reach out today to get started and secure your spot in our CMMC certification queue.