The Cybersecurity Maturity Model Certification (CMMC) has undergone significant changes since its inception in 2020. Transitioning from version 1.0 to the more streamlined and business friendly CMMC 2.0, the Department of Defense (DoD) aims to enhance cybersecurity across the Defense Industrial Base (DIB). However, navigating these changes can be challenging.
As your trusted CMMC experts, Peerless Tech Solutions is here and ready to simplify the process and ensure your business is prepared. Please review the unique updates below that highlights the major changes that Peerless will address for your organization!
A Quick History of CMMC
In September 2020, the DoD introduced the 48 CFR CMMC Interim Rule (CMMC 1.0), a five-level certification framework aimed at improving cybersecurity and ensuring contractors' compliance with standards for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). However, in response to public feedback, the DoD assessed that the framework's complexity and costs were burdensome for smaller contractors.
In response to these concerns, CMMC 2.0 was announced in November 2021 to simplify the program for small and medium-sized businesses, making compliance more achievable. Two years later, in December 2023, the DoD published the CMMC Proposed Rule to solicit additional public feedback and further refine the framework. Additionally, in August 2024, the DoD published a DFARS Proposed Rule to integrate CMMC 2.0 into the procurement process. CMMC 2.0 streamlined the framework by reducing the certification levels from five to three, cut unnecessary perplexities, and offered more flexibility for achieving compliance.
On October 15, 2024, the DoD published the CMMC Final Rule under 32 CFR Part 170, with an effective date of December 16, 2024. This rule, along with the proposed 48 CFR Part 204 Acquisition Rule, forms the foundation for CMMC 2.0, leveraging NIST standards, FedRAMP requirements, and other federal guidelines.
What's New in CMMC 2.0
Peerless addresses the following key changes that companies should be aware of:
- New Three-Level Framework:
- Level 1 (Self-Assessment): Required for FCI only. Must meet 15 security requirements from FAR Clause 52.204-21. These requirements are also mapped to 17 security requirements in NIST SP 800-171 R2. Required annually, no POA&M required.
- Level 2 (Self-Assessment): Assessed against 110 controls in NIST SP 800-171 R2. Required every 3 years; must affirm annually. POA&M required w/ 180-day remediation.
- Level 2 (Certification Assessment): Conducted by a 3rd Party Assessment Organization (C3PAO). Assessed against 110 controls in NIST SP 800-171 R2. Required every 3 years; must affirm annually. POA&M required w/ 180-day remediation.
- Level 3 (Certification Assessment): Conducted by Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Assessed against 24 security controls in NIST SP 800-172. Required every 3 years; must affirm annually. POA&M required w/ 180-day remediation.
- New Phased Implementation Plan:
- Phase 1: Begins December 16, 2024; includes Level 1 and Level 2 self-assessments.
- Phase 2: 12 months after Phase 1, requires Level 2 C3PAO certification assessment.
- Phase 3: 24 months after Phase 1, requires Level 3 DIBCAC certification.
- Phase 4: Full implementation within 36 months, with all contracts including applicable CMMC requirements.
Other New or Updated Requirements
- Asset Categories - Important for CMMC 2.0 Scoping:
- Security Protection Assets (SPA): Assets providing security protection to CUI systems. SPAs are critical to protecting sensitive information and must be scoped, evaluated and documented during assessments.
- Security Protection Data (SPD): Data processed or stored by SPAs. Although data may not be CUI, SPD is subject to be assessment and safeguarded as such.
- Out-of-Scope Assets: Assets that do not process or store CUI. They are excluded from assessment but must be documented in the System Security Plan (SSP).
- Specialized Assets: Assets that can process CUI but cannot be fully secured due to inherent limitations (e.g., medical devices, legacy systems). These must be categorized, documented in the SSP and inventoried. Assessment only required for Level 3.
- Contractor Risk Managed Assets (CRMA): Assets capable of processing CUI but not intended for such use. CRMAs require proper documentation in the SSP and must be prepared for assessment if their use changes.
- Cloud Service Provider (CSP): If CUI is processed, stored, or transmitted using cloud services, the CSP must meet FedRAMP Moderate equivalency and be documented. If only SPD is processed, CSP services must be scoped and assessed.
- External Service Provider (ESP): 3rd party providers (i.e. Managed Service Providers) who services processes CUI or SPD. Services provided must be scoped and assessed.
- Enduring Exceptions: Specific systems or circumstances where full compliance is infeasible due to limitations such as vendor restrictions or technical constraints. These exceptions must be documented in the SSP and are assessed as "met" with appropriate mitigations. Specialized Assets could be an example of an Enduring Exception.
- Temporary Deficiencies: Situations where remediation is feasible, but during implementation, a deficiency or limitation is discovered that prevents remediation. These situations are not based on an `in progress' initial implementation of a security requirement but arises after implementation. Deficiencies must be documented in an operational plan of action.
- Operational Plan-of-Action: Formal artifact identifying temporary deficiencies discovered during the implementation of a security requirement, and how the deficiency will be corrected or mitigated. Not to be confused with a POA&M which requires a 180-day remediation timeline.
- New Flow-Down Requirements: Subcontractors must meet the same CMMC level requirements as the prime contractor for handling FCI and CUI.
Why CMMC 2.0 May Seem Daunting
Despite improvements, achieving compliance can still be challenging:
- Complexity: Understanding NIST SP 800-171 requirements and implementing technical safeguards can be overwhelming.
- Resource Constraints: Small to mid-size businesses often lack the cybersecurity expertise needed to interpret and apply these standards.
- High Stakes: Non-compliance can disqualify businesses from DoD contracts, jeopardizing their future.
How Peerless Tech Solutions Can Help
At Peerless, we specialize in making CMMC compliance achievable for businesses of all sizes. Our menu of services will address the above changes from our Gap Assessments, SSP, POA&M, and Policy products, to ensure your organization meets Level 2 Self-Assessment requirements. We also offer technical remediation solutions and expert consulting to help you achieve an SPRS score of 110!
Don’t let the complexity of CMMC 2.0 overwhelm you. Peerless has already analyzed the changes, standards, and security controls so you don’t have to. With our expertise, we’ll guide you through every step of the process to help your business be compliant and ready for certification.