The Cybersecurity Maturity Model Certification, or CMMC, has been a topic of conversation for a few years within the Defense Industrial Base (DIB). CMMC is a unified standard for implementing cybersecurity across the DIB, which includes over 300,000 companies in the supply chain. The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems. The US Department of Defense (DoD) released the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0•• on January 31, 2020. Since then, CMMC has undergone much scrutiny and discussion. Here is a timeline of CMMC:

September 2020: The CMMC program published by the DoD (now known as CMMC 1.0). This framework assesses a Defense Industrial Base (DIB) contractor’s compliance with a set of cybersecurity standards.

November 2020: A Presidential interim rule became effective, establishing a five-year phase-in period and requiring compliance with NIST 800-71 rules.

March 2021: The DoD announced an internal review of CMMC’s implementation.

November 2021: The DoD announced CMMC 2.0, and updated program and requirements designed to meet certain goals, including:

  • Protecting sensitive information to enable and protect the warfighter.
  • Dynamically enhance DIB cybersecurity to meet evolving threats.
  • Ensuring accountability while minimizing barriers to compliance with DoD requirements.
  • Contributing to a collaborative culture of cybersecurity and cyber resilience.
  • Maintaining public trust through high professional and ethical standards.

The Cybersecurity Maturity Model Certification, or CMMC, has been a topic of conversation for a few years within the Defense Industrial Base (DIB). CMMC is a unified standard for implementing cybersecurity across the DIB, which includes over 300,000 companies in the supply chain. The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems. The US Department of Defense (DoD) released the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020. Since then, CMMC has undergone much scrutiny and discussion. Here is a timeline of CMMC :

September 2020: The CMMC program published by the DoD (now known as CMMC 1.0). This framework assesses a Defense Industrial Base (DIB) contractor’s compliance with a set of cybersecurity standards.

November 2020: A Presidential interim rule became effective, establishing a five-year phase-in period and requiring compliance with NIST 800-71 rules.

March 2021: The DoD announced an internal review of CMMC’s implementation.

November 2021: The DoD announced CMMC 2.0, and updated program and requirements designed to meet certain goals, including:

  • Protecting sensitive information to enable and protect the warfighter.
  • Dynamically enhance DIB cybersecurity to meet evolving threats.
  • Ensuring accountability while minimizing barriers to compliance with DoD requirements.
  • Contributing to a collaborative culture of cybersecurity and cyber resilience.
  • Maintaining public trust through high professional and ethical standards.

Currently, CMMC is not enforced and is in the rule making process, with the most ambitious timeline anticipating a rule to be published some time in 2023.

SOME COMPANIES ARE MAKING THE MISTAKE THAT THIS MEANS THERE IS AMPLE TIME TO BECOME COMPLIANT WITH CMMC!! That is incorrect. CMMC 2.0 is based on the National Institute of Science and Technology((NIST) Standard 800-171. That standard is already in place and enforceable.

In response to incidents such as the Colonial Pipeline and Solar Winds attacks, on May 12, 2021, President Biden signed Executive Order 14028 on Improving the Nation’s Cybersecurity. This includes a Notice of NIST 800-171 DoD Assessment Requirements. Contractors must register by CAGE code in the Supplier Performance Risk System (SPRS) and upload a self-assessment based on their 800-171 controls implementation (not “graded”, but the DFARS rule does articulate the risk of False Claims Act (FCA) litigation if not done in earnest).

So, any company doing business with the Department of defense (DoD) should already be compliant with NIST 800 -171. Since 01 Dec 2020, DoD contracting officers are required to verify that the summary level score of a current NIST SP 800-171 Assessment for each covered contractor information system that is relevant to an offer, contract, task order or delivery order is posted in SPRS prior to:

  • Awarding a contract, task order, or delivery order to an offeror or contractor that is required to implement NIST SP 800-171 in accordance with the clause at DFARS 252.204-7012

or

  • Exercising an option period or extending the period of performance on a contract, task order, or delivery order with a contractor that is required to implement the NIST SP 800-171 in accordance with the clause at DFARS 252.204-7012.

The good news is, getting compliant with NIST 800-171 and the Executive Order, positions your company well for the final rule on CMMC.

Read More: Key Considerations and Lessons Learned when becoming NIST 800-171 Compliant

What has Changed?

According to the DoD, their modifications include:

  • Eliminating levels 2 and 4 and removing CMMC-unique practices and all maturity processes from the CMMC Model.
  • Allowing annual self-assessments with an annual affirmation by DIB company leadership for CMMC Level 1.
  • Bifurcating CMMC Level 3 requirements to identify prioritized acquisitions that would require independent assessment, and non-prioritized acquisitions that would require annual self-assessment and annual company affirmation.
  • CMMC Level 5 requirements are still under development.
  • Development of a time-bound and enforceable Plan of Action and Milestone process.
  • Development of a selective, time-bound waiver process, if needed and approved.

Comparing CMMC 1.0 & CMMC 2.0

Here is how the two compare:

Download our Infographic

What this Means for DoD Contractors 

  • DIB companies with CUI underlying requirements have not changed.  
    • Reading between the lines of NIST 800-171, there is not much difference from CMMC Level 3 except the elimination of the additional 20 controls.  
  • Further details will be showcased from interim rules.  
    • The rule making process will be 9-24 months before new rules are announced.  
    • Rules go into effect 60 days after announced.  
  • POAMs are allowed; however, only on select requirements. 
  • Don’t expect to get a pass on requirements, POAMs won’t be allowed on high weighted requirements. 
  • Timeline on POAMs will be set (6 months). 
  • DoD will establish a minimum score with POAMs for certification.  
  • At the end of the day… 
    • If you are Level 3, keep working on NIST 800-171 requirements and close out POAMs! 
    • Don’t expect that any of these changes will somehow make it that much easier to gain compliance than CMMC 1.0. 
    • Don’t assume that this reduces your compliance burden.  
    • For those that will be able to self-attest – cost is reduced. 
    • For those that will require 3rd party assessment – nothing is changed except for some of the CMMC-independent controls being eliminated. 

Braxton-Grant’s 3-Step Cyber Assessment

Braxton-Grant is a cybersecurity consulting organization with NIST SP 800-171 Subject Matter Experts and CMMC Registered Practitioners to assist in pre-assessments for organizations with DoD contracts.

We have developed a low-cost solution to help companies get compliant quickly and stay compliant without disrupting your budget.

For more information about how this three-step process would work for your company, please call for a free consultation or contact us to schedule a meeting.

Contact Us