Recently the DoD released changes to the Cybersecurity Maturity Model Certification (CMMC), which is a framework built to better evaluate and refine the cyber hygiene of the Defense Industrial Base (DIB). The DIB includes over 300,000 contractors and subcontractors in the DoD supply chain and continues to be a frequent target for cyber-attacks. Originally when CMMC 1.0 was released, it was criticized for being too complex and expensive for small and midsize organizations within the DIB. The DoD responded to these concerns by releasing CMMC 2.0, an updated version of the CMMC framework. CMMC 2.0 includes new CMMC levels with updated practices and procedures. Below we will discuss the changes in the new CMMC framework and what they mean for your organization.
The New CMMC Levels:
The New CMMC Framework includes several key changes including 3 updated CMMC levels, highlighted in the diagram below:
In the original CMMC 1.0 there were five levels to reach the highest end of the CMMC framework. However, both level 2 and level 4 in the original CMMC 1.0 model were transitional levels, and many organizations would not need to be compliant with these levels. Instead, they needed to achieve either level 1, 3 or 5, making levels 2 and 4 as just a “pass through” level. Therefore, in CMMC 2.0 the DoD condensed all five levels into three new CMMC levels.
- CMMC 2.0 Level 1:Level 1 is known as the Foundational level; this includes 17 practices and an annual self-assessment to ensure controls and procedures are in order.
- CMMC 2.0 Level 2: Level 2 is known as the Advanced level; this includes 110 practices that align with NIST SP 800-171. There will be some components within this level that will have to be assessed by a third party, and some components will require a self-assessment.
- CMMC 2.0 Level 3: Level 3 is known as the Expert level; this includes 110+ controls based on NIST SP 800-172. This level will require an official government led assessment.
CMMC 2.0 Next Steps:
With so much added information being released it can be difficult to determine the next steps for your organization; however, there are many ways to get started:
Implement basic cybersecurity measures within your organization in order to have a good base to fulfill CMMC requirements. For a good starting list of cybersecurity initiatives to take, please read our blog post:
5 Cybersecurity Initiatives to Meet CMMC Certification & Buy American Company Security Standards
NIST SP 800-171 Self-Assessment
An important next step for any organization looking to get CMMC certified is a NIST SP 800-171 Self-Assessment. Many of the controls listed in NIST SP 800-171 directly correlate to the CMMC 2.0 requirements for Level 2. This assessment will highlight all the processes and procedures that your organization needs to put in place to begin your process to meet CMMC requirements. You can access that self-assessment here to get started.
Plan of Action and Milestones (POAM)
The final step to take when your organization is starting to prepare for CMMC requirements is creating a plan of action and milestones (POAM) based on your results from the NIST SP 800-171 assessment. This is important because in order to meet the unmet controls you need to have a plan of action in place to start. This can include things such as:
– Remediating any missing policies or procedures.
– Adding in any new security solutions.
– Creating documents.
– Building ownership of these documents.
By planning out these tasks for your organization you can implement cyber maturity and successfully work to pass all the controls within the new CMMC framework for CMMC 2.0.
Although there are a lot of recent changes happening, all of them are to benefit organizations within the DIB who need to be CMMC certified. CMMC 2.0 was created in order to make it easier for organizations to have the proper practices and controls in place to be protected against cyber-attacks.
CompuData is a Managed Service Provider (MSP) and a Cybersecurity Maturity Model Certification (CMMC) Registered Provider Organization (RPO), accredited by the CMMC -AB marketplace, helping DoD suppliers and government contractors obtain adequate security protection and meet required guidelines. Our CMMC services help organizations practically and efficiently create a strategy for CMMC readiness that guarantees long term success. Whether you are looking for an assessment, security planning or implementation, or cybersecurity support; our technology experts can help.