With evolving cybersecurity threats, the Department of Defense (DoD) has implemented the Cybersecurity Maturity Model Certification (CMMC) to safeguard information within the defense industrial base (DIB). The latest version, CMMC 2.0, streamlines the framework and brings important changes that contractors must understand to maintain eligibility for government contracts. Here, we’ll discuss what CMMC 2.0 is, the recent updates, key timelines, and how contractors can determine the appropriate level of certification for their contracts.
So, let’s talk about CMMC and what it means for our clients and other DoD contractors.
What is CMMC?
CMMC is a cybersecurity framework designed to improve the security posture of contractors working with the DoD. By establishing specific practices and processes, the model ensures that contractors implement necessary safeguards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). With CMMC 2.0, the framework shifts away from the previous five-level structure to a more streamlined three-level model, emphasizing simplicity and reducing the cost burden on contractors.
Recent Changes: What’s New in CMMC 2.0?
The updated CMMC 2.0 framework condenses the model from five levels to three:
1. Level 1 (Foundational): Requires basic safeguarding practices for contractors handling FCI. This level involves implementing straightforward cybersecurity measures, akin to basic cyber hygiene.
2. Level 2 (Advanced): Applies to contractors who handle CUI. It requires alignment with NIST SP 800-171 standards, featuring 110 security controls to protect sensitive information. Most companies working with the DoD will likely need to comply with Level 2 if they deal with CUI.
3. Level 3 (Expert): Targeted at a smaller group of contractors involved in the most critical defense projects, this level will require compliance with more stringent standards, potentially including NIST SP 800-172.
CMMC 2.0 Timelines and Compliance Deadlines
The DoD is gradually rolling out CMMC 2.0, with contractors expected to see CMMC requirements in new contracts starting in late 2024. The full integration into all DoD contracts is anticipated by 2025. Here’s what contractors need to know about key timelines:
• End of 2024: CMMC requirements will begin appearing in a limited number of new contracts, focusing initially on new awards rather than existing contracts.
• Early to mid-2025: The CMMC 2.0 framework is expected to complete the rulemaking process, making it mandatory across all new DoD contracts.
• Certification Maintenance: Contractors will need to undergo recertification every three years to ensure continued compliance, while Level 1 self-assessments should be performed annually.
Determining the Appropriate CMMC Level for Your Contracts
Understanding which CMMC level applies to your company is crucial for maintaining eligibility for DoD contracts:
• Level 1 (Foundational): Suitable for contracts involving non-sensitive services or products, such as basic facility maintenance or commercial product supply, where only FCI is handled. Level 1 requires basic cyber hygiene practices.
• Level 2 (Advanced): Most defense contractors handling CUI will need to comply with Level 2. This applies to contracts involving research and development, defense manufacturing, software development, or logistics services. The requirements align with NIST SP 800-171’s 110 controls, and contractors must prepare for third-party assessments.
• Level 3 (Expert): Intended for contracts related to high-impact DoD projects, such as special access programs or work involving classified technologies. Level 3 certification will be necessary for companies handling the most sensitive information.
What This Means for Our Clients
For contractors in the defense industrial base, preparing for CMMC 2.0 is not just about checking boxes but establishing a robust cybersecurity foundation. While Kinetic does not provide CMMC consulting, we understand that our clients may need to navigate the complexities of compliance. Here’s what you should consider:
• Assess Your Current Cybersecurity Posture: Understand the type of information your company handles and identify which CMMC level is likely required for your contracts.
• Focus on NIST SP 800-171 for Level 2: If you deal with CUI, aligning with NIST SP 800-171 is critical. Start implementing the required controls and documenting your efforts to prepare for future assessments.
• Plan for Assessments and Maintenance: Don’t wait until the last minute. Begin planning for third-party assessments well before the anticipated deadlines, and maintain cybersecurity measures consistently to stay compliant.
Conclusion
CMMC 2.0 represents a significant shift in how the DoD enforces cybersecurity standards, but with the right preparation, contractors can meet the requirements and continue to thrive in the defense sector. Staying informed about the evolving requirements and understanding the expected level for your contracts will be key to success.
For our clients navigating this process, we’re here to help you stay updated and informed. Make sure your cybersecurity practices are up to date to protect your eligibility for DoD contracts.