Cybersecurity Maturity Model Certification
With the increasing risk of cybersecurity attacks due to an interconnected global economy, the Department of Defense (DoD) is working on measures to keep government information safe. One proposed method is the Cybersecurity Maturity Model Certification (CMMC), a unified standard that will measure and certify cybersecurity requirements in organizations that work with the DoD. CMMC is based on a reoccurring assessment process that would ensure companies that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) have implemented proper safeguarding measures. As this model is still in the creation process, various versions are continually evolving. The most recent update for CMMC is version 2.0.
The New Model
With version 2.0, a notable change to the CMMC model is the number of maturity levels. In version 1.0, there were five levels. The lowest level, one, required basic security practices. Most companies were predicted to fit in this level. The highest level, five, would require a standardized and optimized cybersecurity program focused on protecting against Advanced Persistent Threats (APTs). With the edits in 2.0, the levels have been simplified. Now, there are three maturity levels—one, still the most basic, and three, an expert security level. In version 1.0, all contractors were to be assessed by a third party assessment organization regardless of maturity level, while in version 2.0 there are different assessment methods at the different maturity levels.
In version 2.0, a few other significant changes have been made. For example, level one will require an annual self-assessment and affirmation by company leadership. Level two will be split into two groups. In the first group, self-assessment is allowed, and an annual company affirmation will also be required. In the second group, third party assessment will be necessary and will apply to contractors that handle critical national security information. Due to limitations of the third party assessment ecosystem, the DoD has prioritized this second group handling critical national security information for independent assessment. Level three is still under development, but will be based on the NIST 800-172 guidelines. These guidelines are to protect Controlled Unclassified Information (CUI), and outline security enhancements above and beyond the guidelines of NIST 800-171.
Reasons for Change
The Defense Industrial Base (DIB) is comprised of organizations of varied sizes with different capabilities and risk profiles. When the CMMC model was introduced, businesses that worked with the DoD voiced many concerns about the framework and its implementation. Among the concerns raised by contractors, CMMC 1.0 created excessive cost and red tape for small and medium sized businesses, lacked the ability to scale the third party assessment ecosystem to meet demand, and failed to recognize overlapping standards programs. After listening to feedback from the DIB, the DoD realized that updates would need to be made to optimize the rollout of the program and maintain the focus on securing FCI and CUI. In late 2021, the DoD released a notice of proposed rulemaking and details about the new model, referred to as CMMC 2.0. It is expected that the model will continue to evolve as industry feedback on CMMC 2.0 is evaluated and incorporated.
How to Prepare
Ultimately, the CMMC guidelines will continue to evolve based on community feedback. While the program is finalized, organizations should press forward with security enhancements and preparing for compliance with the new standards. Organizations can start by performing an assessment against the security practices of NIST 800-171. From there, build a plan of actions and milestones (POA&M) and begin remediating gaps uncovered during assessment. Keep in mind, contractors will be held accountable for assertions made in self-assessments and those scores may be a factor in procurement evaluations. Lastly, the DoD encourages participation in the rulemaking process, so organizations should consider submitting comments.
Visit Carahsoft’s CMMC resource hub and find out how we can help companies meet CMMC and NIST 800-171 guidelines. Carahsoft partners with great companies and subject matter experts that can help you prepare for CMMC assessment and remediate gaps to compliance in your environment.