FR
Linkedin Twitter Facebook Youtube
Contact us

CMMC 2.0 – Know about U.S. DoD’s cybersecurity certification

CMMC 2.0 streamlines the U.S. Department of Defense’s (DoD) cybersecurity requirements to three levels and aligns them with well-known and widely accepted NIST cybersecurity standards. In this article, we review the basics of CMMC 2.0 and how they impact Canadian contracts with DoD.

Canadian companies in the defence sectors already know that strong practices for handling sensitive information are critically important. The newly updated cybersecurity certification required of all U.S. Department of Defense (DoD) contractors (CMMC) means how you protect your data will determine whether you can access lucrative U.S. military market opportunities. 

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to enhance companies’ cybersecurity practices with the DoD. It was developed to address the increasing cyberattack threats and protect the sensitive information and data associated with defence contracts.

The CMMC combines many different cybersecurity standards — including those from the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the Aerospace Industries Association and others — into a single, unified standard for cybersecurity. Doing so gives the U.S. DoD a more straightforward mechanism for assessing and verifying contractors’ cybersecurity readiness, including their ability to protect information stored in and transmitted across their networks.

To comply with the CMMC requirements, organizations must undergo assessments to evaluate their cybersecurity practices and assign a maturity level based on their findings. The specific maturity level required depends on the organization’s involvement with DoD contracts and the sensitivity of the information they handle.

What is protected information?

In alignment with section 4.1901 of the Federal Acquisition Regulation (FAR), Federal Contract Information (FCI) is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.

Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI Registry provides information on specific CUI categories and subcategories and can be accessed through the National Archives and DoD websites.

About CMMC 2.0

At its core, CMMC 2.0 focuses on protecting and securing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It requires organizations to adhere to processes and procedures to protect their data from malicious actors.

The CMMC 2.0 program has three key features:

  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for requiring protection of information that is flowed down to subcontractors.
  • Assessment Requirement: CMMC assessments allow DoD to verify the implementation of clear cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

In the sections below, we provide more information about these features.

CMMC 2.0 model

With the implementation of CMMC 2.0, DoD reduces the number of levels from 5 progressive levels to 3 progressive levels. For informational purposes, DoD has posted the CMMC 2.0 model for all levels, associated Assessment Guides, and scoping guidance.

CMMC 1.0

5 increasingly progressive levels

  • Level 1 –Basic Cyber Hygiene
  • Level 2 –Intermediate Cyber Hygiene
  • Level 3 –Cyber Hygiene
  • Level 4 –Proactive
  • Level 5 –Advanced/Proactive

CMMC 2.0

3 increasingly progressive levels:

  • Level 1 (same as previous level 1)
  • Level 2 (previous level 3)
  • Level 3 (previous level 5)

Because CMMC is aligned with NIST standards, DoD’s requirements will continue to evolve as changes are made to the underlying NIST SP 800-171 and NIST SP 800-172 requirements.

CMMC 2.0 assessments

CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Unlike CMMC 1.0, which required all DoD contractors to undergo third-party assessments for CMMC compliance, upon implementation of CMMC 2.0:

  • Contractors who do not handle information critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards. A score is not required but rather a MET or NOT MET.
  • Contractors managing information critical to national security must undergo CMMC Level 2 third-party assessments.
  • The highest priority, critical defence programs (Level 3), will be conducted exclusively by the DCMA DIBCAC every 3 years and annual affirmations.

CMMC 1.0

Required all DoD contractors to undergo third-party assessments for CMMC compliance.

CMMC 2.0

  • Allows majority of contractors associated with Level 1 and a subset of Level 2 CMMC requirements, to perform annual self-assessments
  • Some CMMC Level 2 requirements must be met via triennial third-party assessments
  • Level 3 programs will require regular assessments

Level 1 and Level 2  – Annual self-assessment

For CMMC 2.0 Level 1 and Level 2, which do not involve information critical to national security requirements, self-assessments against the 15 safeguarding requirements aligned with FAR clause 52.204-21 will suffice. These will be required annually, accompanied by an annual affirmation from a senior company official that the company is meeting requirements.

For Level 1, a CMMC score is not required. A MET or NOT MET score is sufficient.

DoD requires companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS).

 

Level 2. Advanced – Third-party assessments

For Level 2, an Organization Seeking Assessment (“OSA”) may either self-assess or seek certification from an authorized or accredited CMMC Third Party Assessment Organization (“C3PAO”).

Meeting the CMMC Level 2 self-assessment (§ 170.16) or CMMC Level 2 certification assessment (§ 170.17) requirements also satisfies the CMMC Level 1 self-assessment requirements detailed in § 170.15 for the same CMMC Assessment Scope.

Level 2: Security requirements are valued at 1, 3, or 5 points with a range of -203 to 110, with a minimum passing score of 88. Partial credit is allowed for two requirements:

  • MFA (Multi-Factor Authentication): 5 points deducted from an overall score of 110 if MFA is not implemented or implemented only for general users and not remote and privileged users.
  • MFA: 3 points are deducted if MFA is implemented for remote and privileged users but not for general users.
  • FIPS (Federal Information Processing Standards): 5 points deducted from an overall score of 110 if no cryptography is employed.
  • FIPS: 3 points deducted if cryptography is employed but not FIPS validated.

The CMMC Accreditation Body (The Cyber AB) will accredit C3PAOs and the CMMC Assessors and Instructors Certification Organization (CAICO). Accredited C3PAOs will be listed on The Cyber AB Marketplace.

The Defense Industrial Base (DIB) company (including Canadian companies) will be fully responsible for obtaining the needed assessment and certification, including coordinating and planning the CMMC assessment. After completing the CMMC assessment, the C3PAO will upload the assessment report into the CMMC Enterprise Mission Assurance Support Service (eMASS), which DoD can access.

 

Level 3. Expert – Government-led assessments

This level of compliance is required for all Organizations seeking certification (OSC) that handle controlled unclassified information used in the DoD’s highest-priority programs. Most defence industry leaders must meet the requirements at this level.

Because this level requires the most stringent security, assessments are only needed every three years, and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) must be engaged in this process.

The DCMA DIBCAC will use the assessment methods defined in NIST SP 800-172A1, Assessing Enhanced Security Requirements for Controlled Unclassified Information, along with the supplemental information in this guide to conduct Level 3 certification assessments.

Assessors will review information and evidence to verify that an OSC meets the stated assessment objectives for all requirements. An OSC can obtain a Level 3 certification assessment for an entire enterprise network or specific enclave(s), depending on how the CMMC Assessment Scope is defined in accordance with 32 CFR § 170.19(d).

All Level 3 security requirements are valued at 1 point with a maximum score of 24. It also requires a prerequisite Level 2 score of 110.

DIBCAC will conduct assessments every three years. The results will be entered into CMMC Enterprise Mission Assurance Support Service (eMASS), and the CMMC Status will be valid for three years from the CMMC Status Date as defined in § 170.4.

CMMC 2.0 implementation

The CMMC Program implementation date is 60 days after the publication of the final Title 48 CFR CMMC acquisition rule. CMMC assessment requirements will be implemented using a four-phase plan over three years.

The phases add CMMC-level requirements incrementally, starting with self-assessments in Phase 1 and ending with full implementation of program requirements in Phase 4. This phased approach allows time to train assessors and for companies to understand and implement CMMC assessment requirements.

Phase 1 – Initial implementation

  • Begins a 48 CFR Rule Effective Date
  • Where applicable, solicitations will require Level 1 or 2 Self-Assessment

Phase 2

  • Begins 12 months after Phase 1 start
  • Where applicable, solicitations will require Level 2 Certification

Phase 3

  • Begins 24 months after Phase 1 start
  • Where applicable, solicitations will require Level 3 Certification

Phase 4 – Full implementation

  • Begins 36 months after Phase 1 start
  • All solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award.

In some procurements, DoD may implement CMMC requirements in advance of the planned phase

Once CMMC 2.0 is implemented, the required CMMC level for contractors and sub-contractors will be specified in the solicitation and in Requests for Information (RFIs). DoD plans to allow companies to receive contract awards with a plan to complete CMMC requirements. However, DoD may not allow some CMMC requirements to be achieved after contract award.

CMMC 1.0

No allowance for Plan of Actions and Milestones (POA&M) to complete CMMC requirements

CMMC 2.0

  • Allows the use of POA&M
  • Not allowed for Level 1 Self-Assessments
  • For Level 2 Assessments (Self and C3PAO), permitted as defined in § 170.21(a)(2) and must be closed out within 180 days. Final CMMC Status will be valid for three years from the Conditional CMMC Status Date.
  • For Level 3 (DIBCAC), permitted as defined in § 170.21(a)(3) and must be closed out within 180 days. Final CMMC Status will be valid for three years from the Conditional CMMC Status Date

CMMC updates 2024

On October 15, 2024, the DoD published its final rule to establish the CMMC Program, amending Title 32 of the Code of Federal Regulations (“CMMC Program Rule”).

The final rule is effective December 16, 2024. It will affect all prospective and actual DoD contractors and subcontractors who are handling or will handle DoD information that meets the standards for Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on a contractor information system during the performance of the DoD contract or subcontract.

It also aligns the program with the cybersecurity requirements described in Federal Acquisition Regulation part 52.204-21 and National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 Rev 2 and -172.  It also clearly identifies the 24 NIST SP 800-172 requirements mandated for CMMC Level 3 certification.

With the publication of this updated 32 CFR (Code of Federal Regulations) rule, DoD will allow businesses to self-assess their compliance when appropriate. Basic protection of FCI will require self-assessment at CMMC Level 1.

The general protection of CUI will require either third-party assessment or self-assessment at CMMC Level 2. Some CUI will require a higher level of protection against risk from advanced persistent threats. This enhanced protection will require a Defense Industrial Base Cybersecurity Assessment Center-led assessment at CMMC Level 3.

Getting ready for CMMC 2.0

Since all DoD suppliers must be certified to the appropriate CMMC level to continue doing business with DoD, industry experts advise that organizations get started today. Rhia Dancel, CMMC registered practitioner, and Tony Giles, CMMC provisional assessor with NSF International Strategic Registrations (NSF-ISR) made the following recommendations in a recent article on nsf.org.

  1. Implement and assess information security processes – Develop a system security plan and conduct a self-assessment to NIST 800-171 standards.
  2. Improve processes and submit your score – Based on your self-assessment results, create a plan of actions and milestones with target dates to achieve a maximum score of 110. Next, submit the score to the DoD’s Supplier Performance Risk System (SPRS).
  3. Identify your scope – Decide what level your enterprise, organization unit, or program enclave needs to achieve.
  4. Get a preliminary gap assessment – Consider getting a preliminary gap assessment with an accredited, third-party assessment organization to identify gaps in your information security process.
  5. Address gap assessment findings – Fix identified information security gaps and implement these changes in your organization.
  6. Choose a C3PAO – Use the Cyber-AB Marketplace to identify a C3PAO and schedule your CMMC assessment.
  7. Undergo the CMMC assessment – Conduct your CMMC assessment with your selected C3PAO.
  8. Get certified – The assessment results will be reviewed by the C3PAO QA individual and uploaded into CMMC eMASS. A Final or Conditional CMMC Level 2 certification will be issued by the C3PAO depending on the assessment results. For a Final CMMC Level 2 certification, your organization is awarded a three-year CMMC certification. For a Conditional CMMC Level 2 certification, a POA&M close-out is required and if successful will result in a three-year CMMC certification.

CMMC for Canadians

For Canadian exporters, the bottom line is simple: if you can achieve higher levels of cybersecurity certification, you’ll have access to more DoD opportunities. More importantly, if you don’t get certified, you won’t be eligible to bid on DoD contracts.

Beyond regulatory compliance, achieving CMMC certification demonstrates a company’s commitment to cybersecurity. It also signals to prime contractors and government agencies that the company protects sensitive information and can avoid a last-minute scramble when certification is required

Achieving CMMC Level 1 now also means that Canadian companies can position themselves favourably for swift compliance with the Canadian Program for Cyber Security Certification (CPCSC)  once fully implemented.

To get started on your CMMC certification, consult the cybersecurity ecosystem at Cyber AB, the official accreditation body of the CMMC Ecosystem and the sole authorized non-governmental partner of the U.S. DoD in implementing and overseeing the CMMC conformance regime. Its Marketplace provides the name of individuals and companies who will be able to assist you in achieving CMMC 2.0 compliance.

Also stay informed on the Canadian Program for Cyber Security Certification (CPCSC) to work on select Government of Canada defence contracts that require CPCSC certification. 

Sell to the U.S. DoD

If you are looking to sell your products or services to the DoD, contact us to learn more about how we can support you.

Contact us

The information in this post is intended solely to provide general guidance on matters of interest. It is not intended to be legal advice. You should not act or refrain from acting based upon such information without first consulting a certified professional.

This post was last updated on January 23, 2025.

Related Topics
Related Posts

The ins and outs of U.S. DoD procurement 

This article will guide you through everything you need to know about DoD procurement

DPSA, DFARS: Agreements for U.S. Military to Buy from Canada

Learn how Canadian firms enjoy a unique relationship with the U.S. DoD market that allows them to compete on equal footing with American firms.

Exploring an opportunity with a foreign government?​

Let us help you explore ways that the Government of Canada can help you win more international deals.

Talk to a CCC advisor
About CCC

Annual public meeting
Corporate reports
Our history

Accessibility
Access to information
Privacy act requests
Transparency and disclosure

Contact us

Canadian Commercial Corporation
350 Albert Street, Suite 1100
Ottawa, Ontario K1A 0S6
1-613-996-0034

Linkedin Twitter Facebook Youtube

© Canadian Commercial Corporation (CCC) • Privacy Notice | Terms of Use | Site Map | Cookies 

Search

Challenge.gov |

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

CCC uses cookies and other tracking tools to offer you a better experience when you visit our site. Visit our Cookie Policy page to learn more or to change your preferences. By continuing to use our site, you consent to cookie use.
Accept