CMMC 2.0 – Know about DoD’s evolving cybersecurity certification

Compared to CMMC 1.0, Cybersecurity Maturity Model Certification (CMMC) 2.0 streamlines U.S. Department of Defense’s (DoD) cybersecurity requirements down to three levels and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards. In this article we will review the basics of CMMC 2.0 and what we know so far about how this will impact contracts with DoD.

Canadian companies working in the defence or financial sectors are already aware that strong practices for handling sensitive information are critically important. With the updated cybersecurity certification that will soon be required of all DoD contractors, how you protect your data will determine whether you can access lucrative U.S. military market opportunities.

What is Cybersecurity Maturity Model Certification?

The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to enhance the cybersecurity practices of companies working with DoD. It was developed by the DoD to address the increasing threats posed by cyberattacks and to protect the sensitive information and data associated with defense contracts.

The CMMC combines today’s many different cybersecurity standards — including those from the National Institute of Standards and Technology, the International Organization for Standardization, the Aerospace Industries Association and others — into a single, unified standard for cybersecurity. In doing so, it gives the DoD a more straightforward mechanism for assessing and verifying contractors’ cybersecurity readiness, including their ability to protect protected information stored in and transmitted across their networks.

To comply with the CMMC requirements, organizations are required to undergo assessments to evaluate the organization’s cybersecurity practices and assign a maturity level based on their findings. The specific maturity level required depends on the organization’s involvement with DoD contracts and the sensitivity of the information they handle.

What is protected information?

In alignment with section 4.1901 of the Federal Acquisition Regulation (FAR), Federal Contract Information (FCI) is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.

Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI Registry provides information on specific CUI categories and subcategories and can be accessed through the National Archives and DoD websites.

About CMMC 2.0

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the latest version of the DoD cyber security framework. At its core, CMMC 2.0 focuses on protecting and securing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It requires organizations to adhere to a set of processes and procedures to protect their data from malicious actors.

The CMMC 2.0 program has three key features:

Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for requiring protection of information that is flowed down to subcontractors.

Assessment Requirement: CMMC assessments allow DoD to verify the implementation of clear cybersecurity standards.

Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

In the sections below, we provide more information about these features.

CMMC 2.0 model

With the implementation of CMMC 2.0, DoD intends to reduce the number of levels from 5 progressive levels to 3 progressive levels. DoD has posted the CMMC 2.0 model for Levels 1 and 2, their associated Assessment Guides, and scoping guidance for informational purposes. Level 3 information will be posted as it becomes available.

CMMC 1.0

CMMC 2.0

5 increasingly progressive levels

Level 1 –Basic Cyber Hygiene
Level 2 –Intermediate Cyber Hygiene
Level 3 –Cyber Hygiene
Level 4 –Proactive
Level 5 –Advanced/Proactive

3 increasingly progressive levels:

Level 1 (same as previous level 1)
Level 2 (previous level 3)
Level 3 (previous level 5)

As a result of the alignment of CMMC to NIST standards, DoD’s requirements will continue to evolve as changes are made to the underlying NIST SP 800-171 and NIST SP 800-172 requirements.

CMMC 2.0 assessments

CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Unlike CMMC 1.0 which required all DoD contractors to undergo third-party assessments for CMMC compliance, upon implementation of CMMC 2.0:

Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.
Contractors managing information critical to national security will be required to undergo CMMC Level 2 third-party assessments.
The highest priority, most critical defense programs (Level 3) will require government-led assessments.

CMMC 1.0	CMMC 2.0
Required all DoD contractors to undergo third-party assessments for CMMC compliance.	Allows majority of contractors, associated with Level 1 and a subset of Level 2 CMMC requirements, to perform annual self-assessments Some CMMC Level 2 requirements must be met via triennial third-party assessments Level 3 programs will require triennial assessments conducted by government officials

Level 1. Foundational – Annual self-assessment

For CMMC 2.0 Level 1 requirements and Level 2 requirements that do not involve information critical to national security requirements, self-assessments will suffice. These will be required on an annual basis, accompanied by an annual affirmation from a senior company official that the company is meeting requirements.

DoD intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS).

Level 2. Advanced – Third-party assessments

Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC Level 2 assessment for a subset of acquisitions that involve information critical to national security.

The CMMC Accreditation Body (The Cyber AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO). Accredited C3PAOs will be listed on The Cyber AB Marketplace.

The Defense Industrial Base (DIB) company (including Canadian companies) will be fully responsible for obtaining the needed assessment and certification, to include coordinating and planning the CMMC assessment. After the completion of the CMMC assessment, the C3PAO will upload the assessment report into CMMC EMASS, which DoD can access.

Level 3. Expert – Government-led assessments

This level of compliance is required for all contractors who handle controlled unclassified information that is used in the DoD’s highest priority programs. Most defense industry leaders must meet the requirements at this level.

Because this level requires the most stringent security, assessments are only needed every three years and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) must be engaged in this process.

CMMC 2.0 implementation

Once CMMC 2.0 is implemented, the required CMMC level for contractors and sub-contractors will be specified in the solicitation and in Requests for Information (RFIs). DoD plans to allow companies to receive contract awards with a plan to complete CMMC requirements. However, DoD may not allow some CMMC requirements to be achieved after contract award.

CMMC 1.0	CMMC 2.0
No allowance for Plan of Actions and Milestones (POA&M) to complete CMMC requirements	Allows the use of for Plan of Actions and Milestones (POA&M) Highest weighted requirements cannot be on POA&M list DoD will establish a minimum score requirement to support certification with POA&Ms

Under CMMC 2.0, DoD intends to allow a limited waiver process to exclude CMMC requirements from acquisitions for select mission-critical requirements. DoD policies for Program Managers seeking CMMC waivers will require senior DoD leadership approval and will limit waiver duration.

CMMC 1.0	CMMC 2.0
No allowance for waivers	Applied to entire CMMC requirement, not individual cybersecurity practices Allowed on a very limited basis in select mission critical instances, upon senior leadership approval Timelines imposed on a case-by-case basis to achieve CMMC compliance

Getting ready for CMMC 2.0

As of June 2023, there has been no official announcement as to when industry will be required to comply with CMMC 2.0 requirements.

Since all DoD suppliers will have to be certified to the appropriate CMMC level to continue doing business with DoD, industry experts advise that organizations get started early. Rhia Dancel, CMMC registered practitioner, and Tony Giles, CMMC provisional assessor with NSF International Strategic Registrations (NSF-ISR) made the following recommendations in a recent article on nsf.org.

Implement and assess information security processes – Develop a system security plan and conduct a self-assessment to NIST 800-171 standards.
Improve processes and submit your score – Based on the results of your self-assessment, create a plan of actions and milestones with target dates to achieve a maximum score of 110. Next, submit the score into the DoD’s Supplier Performance Risk System (SPRS).
Identify your scope – Decide what level you need to achieve for your enterprise, organization unit or program enclave. Note that the Cyber-AB, the accreditation body authorized to oversee all CMMC assessments and training, has only released the assessment guide for CMMC 2.0 Levels 1-2 so far.
Get a preliminary gap assessment – Consider getting a preliminary gap assessment with an accredited, third-party assessment organization to identify gaps in your information security process.
Address gap assessment findings – Fix identified information security gaps and implement these changes in your organization.
Choose a C3PAO – Use the Cyber-AB Marketplace to identify a C3PAO and schedule your CMMC assessment.
Undergo the CMMC assessment – Conduct your CMMC assessment with your selected C3PAO.
Get certified – Cyber-AB reviews the assessment submitted by the C3PAO and makes a final decision on certification for your organization. If approved, your organization is awarded a three-year CMMC certification.

CMMC for Canadians

For Canadian exporters, the bottom line is simple: if you can achieve higher levels of cybersecurity certification, you’ll have access to more DoD opportunities. More importantly, if you don’t get certified, you won’t be eligible to bid on DoD contracts.

Many contractors likely won’t have to do anything new compared to what they’re currently doing in terms of cybersecurity, especially if they only need to meet the first two levels of certification under CMMC 1.0.

For most Canadian companies, the CMMC framework is a more formal mechanism to recognize the best practices they’ve already got in place. It may also be the beginning of a broader cybersecurity approach for all U.S. government contracting.

Sell to the U.S. DoD: If you are looking to sell your products or services to the DoD, contact us to learn more about how we can support you.

This post was last updated on June 20, 2023.