The Cybersecurity Maturity Model Certification (CMMC) Program was created to ensure organizations working with or within the Defense Industrial Base (DIB) met a baseline level of protections and practices in place for CUI. After proposing the first version, there was significant feedback that caused a review period and the eventual release of CMMC 2.0.
With CMMC 2.0 set to become a requirement for contracts in a phased rollout by the end of March 2025, many organizations will need to familiarize themselves with the requirements. One of the primary differences between the first iteration and this final rule is the shift from five levels to a more digestible three.
Level 1: Foundational
The first level, ‘Foundational’, will align with the 15 practices in 48 CFR 52.204-21 and is intended for organizations only handling FCI. These are concise statements that outline the core functions that all organizations in the ecosystem will need to implement. Additionally, level 1 will no longer require a third-party assessment from a Certified 3rd Party Assessment Organization (C3PAO), moving to a self-attestation model for these organizations. Organizations at this level are not required to implement a Plan of Action and Milestones (POA&M) for gaps and missing items because the expectation is that all of these requirements are fulfilled. These are still valuable for organizations that wish to track additional gaps against their own goals or higher levels of the framework.
Organizations that must meet level 1 requirements are required to attest on an annual basis. All self-assessments are expected to be just as rigorous as a 3rd party assessment, with evidence uploaded to the Supplier Performance Risk System (SPRS).
Level 2: Advanced
The second level, ‘Advanced’, is intended for organizations handling CUI and they must demonstrate implementation of all practices in NIST SP 800-171. Achieving level 2 requires an assessment from a 3PCAO. Organizations are required to attest yearly to their continued compliance and re-certify every 3 years. A POA&M is required to be filled out at this level, requiring remediation within 180 days for most items. Of the organizations that are estimated to need CMMC, over 99% of them will be at level 1 or 2. There will be a small number of organizations at level 2 that will be performing self-assessments, though the criteria for this is only organizations that are involved in low-risk contracts. The self-assessments for level 2 would also occur annually.
Level 3: Expert
The third level, ‘Expert’, applies to organizations that will be handling CTI. In addition to the controls from NIST 800-171, level 3 requires the implementation of 24 controls from NIST 800-172. Organizations that need to achieve level 3 certification must already hold a level 2 certification, and then undergo an assessment from the DCMA DIBCAC.
Some additional information has been provided as part of the updates as well, such as scoping provisions for External Service Providers and VDI clients. It is also noted that once an environment is certified at level 2 or 3, it can be leveraged for other contracts of the same requirements or lower. It is also noted that changes to the CMMC-scoped environment would trigger the need to recertify.
Despite some organizations having the ability to self-attest, jumping straight into CMMC from scratch is a massive undertaking. The DoD estimates that it could take 3 to 6 months to implement level 1 requirements and anywhere from 12 to 18 months for level 2.
ProCircular’s specialists have been preparing to help organizations achieve their compliance needs by offering CMMC Readiness assessments.
Stay tuned as additional information is released by the DoD. Contact our team of experts to discuss your CMMC readiness. Learn more about CMMC and assessment preparation, here.
