What You Need to Know About CMMC 2.0

Are you CMMC Compliant?

Now more than ever, it is becoming more and more important to start improving your cybersecurity posture. From a business standpoint, so much of what you do is web-based. This leaves you open to the threats that accompany the web. 

However, you can be proactive and prepared with a strong cybersecurity plan. CMMC 2.0 is just one of those solutions. Are you compliant with CMMC

It just might be time to get on board with cybersecurity for your business. It’s not just for the Department of Defense but for any commercial market that contracts with them. 

Keep reading to learn everything that you need to know about CMMC 2.0.

 

What is CMMC?

CMMC stands for Cybersecurity Maturity Model Certification. Version 2.0 is simply the latest revision of that program. 

CMMC is a compliance requirement based around NIST 800-171. It’s an assessment program geared explicitly toward cybersecurity with the Department of Defense and contractual providers in mind. 

The requirement to be compliant is fairly new, and while CMMC 2.0 has already been released, it will not be  a requirement for some time still. Ultimately, the design for compliance is to proactively keep data secure and mitigate multiple threats through review. 

Here are some of the features of the requirements. 

  • Employ professional and ethical standards that are geared to gain and maintain the trust of the public
  • Improve accountability for DoD requirements without excessive barriers. 
  • Enhance cyber security by mitigating threats and recognizing new threats as well. 
  • Protect sensitive data of DoD personnel
  • Collaborate to improve cybersecurity and proactively work against it while growing resilience

The real problem is that while CMMC was enacted in 2018, a massive number of contractors and businesses remain out of compliance. 

Businesses are required to obtain third-party assessments and audits at this point, and even with the CMMC program, many of those businesses will still have to obtain a third-party assessment. Even though one of the program’s high points is to help eliminate that need. 

There are five different levels of CMMC.

 

CMMC Levels

CMMC is offered in tiers that consist of 5 different levels. The levels depend on the amount of security that might be required or the data at stake and in so, the expectations do change for each level. 

Each level has a certain number of controls within the level, and they build on each other. For example, Level 1 has 17 controls. Level 4 has 156 controls, and it also includes the controls from levels 1, 2, and 3. 

Here is a basic overview of the levels, according to Fed Tech Magazine:

  1. Level 1 is designed to safeguard federal contractual information
  2. Level 2 is designed to be a stepping stone for cybersecurity from Level 1 in the progression towards controlled unclassified data
  3. Level 3 is designed to protect CUI specifically (controlled unclassified information)
  4. Level 4 is designed to build on Level 3, protecting CUI and reducing advanced threats
  5. Level 5 is the highest level and builds on each level to protect CUI and fight advanced persistent threats against security

Level 1 is basic practice, and level 5 is fully optimized behavior regarding cybersecurity and taking steps to protect CUI.

 

Who Needs CMMC?

The field of those who have to comply with CMMC 2.0 is vast. This program is geared towards the Department of Defense cybersecurity, which means it is far-reaching. Not only does this mean the direct Department of Defense and the military forces that are part of the DoD but it also refers to any company that does business with the DoD. 

This list is massive, and includes thousands of companies. However, it isn’t only large corporations that must be in compliance. Companies of all sizes will need CMMC 2.0 and need to navigate the rules that are put out and then act to bring themselves into compliance. 

This isn’t specific to an industry. It is any corporation or business that does business or contracts with the Department of Defense. If you consider all of the branches and the myriad of suppliers they must have, you probably are still estimating low on the number of businesses. In fact, the estimate is that when CMMC 2.0 is officially rolled out, more than 40,000 contractors will need third-party assessments. They estimate that at least 220,000 businesses total are involved with the DoD in some way.

 

Why Was CMMC 2.0 Created?

Many wonder why CMMC 2.0 would be necessary when CMMC already existed and wasn’t even in full force yet. 

CMMC was put into place in 2018, yet many businesses were still out of compliance. The program was set to be reviewed in 2021 as they started placing CMMC into contracts. However, they quickly found that implementing CMMC could be extremely costly and time-consuming as it currently stood. 

They specifically were concerned for the small businesses that would be affected by the requirements and how they would implement and maintain a high level as required. The original CMMC was not scaled and did not take different business practices into consideration. 

This need to recognize different levels and change the rules and practices led to creating CMMC 2.0. Once that was realized, they put everything on hold while they ironed out the details of CMMC 2.0, determined how to implement it, and then created the rules for it. 

Right now, businesses that contract with the Department of Defense have a head’s up and a basic understanding of the rules, but the final requirements are yet to come.

 

What are the Main Changes Between CMMC and CMMC 2.0?

There are quite a few changes from CMMC to CMMC 2.0, but the biggest change is how different levels are handled and their requirements. 

For example, some businesses will be able to self-attest to their cybersecurity practices, depending on the data they use or have access to. If their data is not specific to national security, they will be allowed to self-attest. This would be your Level 1 and maybe some Level 2 businesses. 

Some of these businesses do work with or for the DoD, but they don’t handle any sensitive data, so their requirements don’t need to be near as stringent. Ultimately, Level 1 businesses will be able to self-attest by having a senior executive sign off that they are in compliance with cybersecurity standards. 

The hope is that regulating the tiers and what is required of each tier will reduce the burden of requirements all around. The higher the tier, the more sensitive their data is, and the more stringent their requirements will be with the changes implemented by CMMC 2.0. 

As we mentioned earlier, this change will potentially reduce the number of contractors that have to be thoroughly reviewed by the DoD from the entire 220,000+ businesses to 40,000 that will require a third-party assessment.

 

As the levels move up, fewer businesses fall into the tiers. About 80,000 businesses fall into Level 2, but not all require external assessments. Level 3 businesses only include about 500. They will be audited by DoD themselves.

The changes from CMMC to include all businesses and CMMC 2.0 to create the different tiers reduces the burden for the Department of Defense and a significant number of businesses that they work with. 

Small and medium businesses that do not deal with critical data will not have to follow the same challenging standards as level 3-5 businesses, which have the most sensitive data at their fingertips. 

Some of the other specific changes are not fully known yet as they continue to determine the rules that will be enforced with CMMC 2.0. However, this review covers the most anticipated differences expected from the change. 

CMMC 2.0 also has a waiver opportunity in some cases. It is a limited waiver, but CMMC did not allow for any kind of waiver.

 

When Will CMMC 2.0 Be a Requirement??

CMMC 2.0 has quite a way to go still. The Department of Defense has already set the expectation that 2023 is the anticipated timeline for CMMC 2.0 being a requirement. Since they decided to change gears on their approach, they’ve halted the implementation and put requiring CMMC compliance on hold until they have finalized the new rules of 2.0. 

They have acknowledged that it will take time to come up with rules and specifics. You can view the basics of the ruling and the categorization of the levels that will be implemented. However, patience will be required to find out all of the details. 

When they do present the final rules, they will also provide a hard deadline for compliance. Right now, the statement is that they will allow 180 days for businesses to comply. 

The Deputy Assistant Secretary of Defense for Industrial Policy, Jesse Salazar, quotes: “My hope is that no company in the defense industrial base or in the broader commercial market is waiting for DoD contractual requirements to begin its cyber readiness process. We are encouraging all companies to start improving their cybersecurity.”

Rather than wait until those final rules are enforced, a business could go ahead and start planning to accommodate cybersecurity and figuring out their steps. If you wait until the last minute to begin preparing, you will more than likely run into issues getting things established and won’t be compliant when you need to be.

 

When Will Waivers Be Allowed?

While the exact specifics of the waivers might not yet be 100% known, the understanding is that the waivers will be allowed primarily on an as-needed basis. 

The waiver is a limited waiver for certification requirements. It will be a temporary waiver granted when a case is mission-critical. The understanding is that they will be granted on a case-by-case basis and won’t just be handed out freely. They will require approval from senior leadership personnel at DoD. 

The rules are still being planned, just like the other rules related to CMMC 2.0. Those guidelines and details will be established along with all of the other guidelines businesses are patiently waiting for more details on. 

 

In Closing

Cybersecurity is no joke. With increased cyber use for just about any business interaction, the Department of Defense recognizes the need to take action and acknowledges that not all of their associated contractors have the same design and should be subject to the same rules. 

This is what has led us to CMMC 2.0. As the time draws closer to the establishment, we will see more details released. Until that time, businesses can start planning for the future of CMMC 2.0.

Find out how Edge Networks can help your company become CMMC compliant by visiting our website. We take care of your compliance so you can focus on running your business.