THE ROAD TO COMPLIANCY WITH CMMC 2.0
WHAT IS CMMC?
The Cybersecurity Maturity Model Certification, or CMMC, is an initiative from the United States government to standardize cybersecurity practices and better protect information going between the Department of Defense (DoD), NASA, and GSA and third-party organizations they work with on a contract basis.
According to estimates from the DoD, nearly $60 billion worth of data is lost every year to adversaries.
Businesses currently working with the DoD, NASA, and GSA must be CMMC compliant to continue working with and bidding on contracts for these government agencies. NuWave Technology Partners has put a major focus on CMMC compliancy and providing services to companies to help reach CMMC compliancy. These companies will have to prove in an assessment from a third-party assessor that they have all of the policies and procedures in place to protect Controlled Unclassified Information. NuWave’s team can guide companies to be where they need to be to pass the assessment.
November 4th, 2021, the Department of Defense announced CMMC 2.0, a new version of the CMMC model with several significant changes to the original program. Although CMMC 2.0 maintains the goal of protecting the Department of Defense’s FCI and CUI, here’s a first cut of the enhancements and changes:
- The new CMMC 2.0 framework will have a public comment period. Version 2.0 is on hold until the program has been reviewed and fully approved through the rule-making process in Part 32 of the Code of Federal Regulations (C.F.R.) and the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R.
- The rulemaking process can take anywhere between 9-24 months
- CMMC 2.0 removes unique practices and all maturity processes from the CMMC Model.
- The DoD is changing CMMC into a streamlined model more aligned with the widely accepted cybersecurity standards established by the National Institute of Standards and Technology (NIST).
THE CMMC LEVELS
- Compliance with CMMC 2.0 Level 1 can be verified through self-attestation.
- CMMC 2.0 is a streamlined model with 3 Levels. Levels 2 and 4 have been removed.
- CMMC 2.0 Level 2 is now the equivalent of NIST 800-171.
- The additional 20 CMMC Level 3 controls added onto NIST 800-171 will be removed.
- CMMC 2.0 Level 2 will have two categories. In some cases, for contractors dealing with non-prioritized data at Level 2, self-attestation will be permitted. However, in other situations, Level 2 will require a third-party assessment to enforce compliance.
- CMMC Level 3 replaces the old Level 5 requirements. Level 3 is under development but will be based on a subset of NIST 800-172.
OVERSIGHT AND RESPONSIBILITY
- The CMMC 2.0 announcement does not reference the CMMC Accreditation Body.
- This article indicates the CMMC-AB will be replaced.
- If so, this change will not come as a surprise given the significant delays, poor communication, conflicts of interest, and public relations issues.
- The Accreditation Body’s potential elimination brings up the question of existing CMMC credentials for registered individuals and organizations. Are those credentials still valid? If not, will the costs be refunded? Much is still unknown.
DOD CONTRACT REQUIREMENTS
- CMMC 2.0 will not be in DoD contracts until there is a final ruling.
- To reduce assessment costs, all organizations at Level 1 (Foundational) and a subset of organizations at Level 2 (Advanced) will be allowed to prove compliance through self-assessments.
- Assessments will be more reliable with higher accountability to increase the oversight of professional and ethical standards of third-party assessors.
- From the DoD: “Under CMMC 2.0, the Department intends to allow a limited waiver process to exclude CMMC requirements from acquisitions for select mission-critical requirements. Waiver requests will require senior DoD leadership approval and will have a limited duration. The specifics of the waiver requirements will be implemented as part of the rulemaking process.”
- From the DoD: “The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period. Additional information will be provided as it becomes available. ”
The changes incorporated into CMMC 2.0 are in direct response to feedback from the DoD’s Defense Industrial Base members calling on the DoD to reduce the cost of CMMC compliance, increase trust in the CMMC assessment ecosystem, and align the CMMC model with other federal requirements and standards. To learn more about how the CMMC 2.0 changes will impact your organization, contact us below.
HOW DO I BECOME CMMC COMPLIANT?
IMPORTANCE OF UNDERSTANDING CMMC
Your I.T. department or your managed service provider (MSP) are the experts of cybersecurity for your business. But management across your company needs to understand the value of good cybersecurity practices, including what happens if there’s a breach and who’s responsible for any external communication. At NuWave, we make sure there’s understanding throughout your organization and clarity of responsibilities when it comes to cybersecurity and protecting your data.
HOW NUWAVE CAN HELP
NuWave has partnered with Prescott, a Registered Provider Organization (RPO) with a team of experienced CMMC experts. We help you identify and address what policies and procedures your organization will need to have in place in order to reach compliancy at the necessary level. This gets your company where it needs to be in order to pass an assessment from a 3rd party assessor to become CMMC compliant.