In a recent online briefing, SureCloud’s Risk Advisory Senior Director, Craig Moores, sat down with Senior Consultant Tom Hodgkins to discuss the ‘what’, ‘how’, ‘when’ and ‘why’ of Cybersecurity Maturity Model Certification (CMMC) 1.0.
At the time, CMMC 2.0 had only just been announced, and the changes it would bring were yet to be determined. Now that some of those changes have been detailed, Craig invited Tom Cornelius, Partner at Compliance Forge and Founder of Secure Controls Framework (SCF), to discuss what they might mean for US Department of Defense (DOD) contractors.
The DoD currently faces a number of cyber risk challenges, chief among which is the handling of controlled unclassified information (CUI) by defense industrial base (DIB) contractors. Just as private businesses form their own security policies and risk mitigation strategies along their supply chain, the DoD must do the same. However, the complex nature of the DoD’s 300,000 third-party links, combined with the mission-critical sensitivity of its data and operations, mean that the DoD needs a targeted and nuanced approach.
CMMC 1.0 launched on January 31st 2020 and has been under constant review ever since. Following some analysis, the CMMC 2.0 is now at the implementation phase. Craig and Tom caught up to discuss what contractors can expect to change in the coming months.
Tom kicked off the discussion around CMMC 2.0 with the biggest and most noticeable change – condensing the five maturity levels down to just three. Instead of five levels of progressive security maturity that contractors were expected to adhere to (depending on the type of contract and the information they would have access to), contractors will now only have to deal with three progressively more complex levels of security. To find out more about the existing five levels of security maturity, you can take a quick read of our previous blog on CMMC 1.0. For the purposes of this talk, Tom jumped right in and laid out the new levels for us:
Now also known as the “Foundational” level, this remains largely unchanged from CMMC 1.0. Contractors will still have to submit annual self-assessments and certifications that speak to their competence in regard to handling data. They will also still be expected to use the same security controls derived from FAR 52.204-21 that represent the bare minimum requirements for the handling of federal contract information.
Now known as “Advanced”, this level is based on level 3 from the existing CMMC 1.0 framework. Contractors will be filtered into two main categories – “prioritized acquisitions” and “non-prioritized acquisitions”. The former could involve the handling of classified information relating to weapons systems, for instance, while the latter will relate to less sensitive issues such as uniforms and other basic provisions. Depending on which category of the “Advanced” level a contractor falls into, it will either have to have to undergo an independent third-party assessment every three years or carry out an annual self-assessment and certification.
Level 3, known as “Expert” level, will effectively combine and replace levels 4 and 5 of CMMC 1.0. Acquisitions at this level will require government-led assessments, compliance with more than a hundred different controls, as well as compliance with all of the controls in the National Institute of Standards and Technology’s (NIST) SP 800-172. The introduction of NIST standards is most likely related to the Biden administration’s push to involve NIST’s role in federal cybersecurity more generally.
The original CMMC 1.0 was launched in the wake of the now-infamous SolarWinds software supply chain attack to give the DOD assurance that contracts and subcontractors were implementing the right security policies. At the time it was met with a combination of both praise and criticism. On the one hand, increasing cybersecurity measures across the defense board was seen as a good thing; on the other, the regulations were seen as too complex and onerous, tying potential contractors up in red tape.
Those complexities, it would seem, have now been scaled back. Tom talked about how OSCs (organizations seeking certification) would, with the exception of the “Expert” and upper “Advanced” tiers, be able to organize self-assessments and apply for certification independently. Not only will reducing the number of contractors needing third-party assessments lead to a fast rollout of CMMC, it also puts the risk and responsibility for potential contractors back where it belongs i.e. further up the chain of command to CISO or CEO level.
Another key difference Tom mentioned about 2.0 is the introduction of PoAM or “Plan of Action Milestone” reports. These reports allow contractors that do not currently meet all of the required security maturity standards to continue bidding for contracts, so long as they can prove their plans to implement them in the near future. This means contractors will still be able to bid on relevant contracts while they themselves transition into tighter security setups and controls.
The good news for contractors is that because 2.0 incorporates a lot of existing guidance from 1.0, much of the literature available is still highly relevant and useful. CMMC 2.0 ultimately reduces the burden on contractors when it comes to audits and assessments, encouraging them to move ahead with bids even if they themselves aren’t quite ready.
For all contractors, the first step in preparation for CMMC 2.0 will be to ascertain which level of compliance applies to your business. Will you need access to controlled unclassified information (CUI)? Will you be working closely with High-Value Assets (HVA)? If you narrow it down to level 2, would you fall into the prioritized or non-prioritized acquisitions category? From there, as discussed by Craig and Tom, it will be a case of mapping out a roadmap to compliance. How this roadmap is documented is now even more important, because it could be useful when submitting a PoAM report in pursuit of a certain bid.
The implementation of CMMC 2.0 is well underway, but bear in mind that it’s expected to take up to 24 months for the rules to be fully established and take hold. This should give contractors plenty of time to shore up their risk management strategies in line with their security maturity allocation from the DoD.