CMMC 2.0 – Know about U.S. DoD’s cybersecurity certification
Compared to the first version, CMMC 2.0 streamlines U.S. Department of Defense’s (DoD) cybersecurity requirements down to three levels and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards. In this article we will review the basics of CMMC 2.0 and what we know so far about how this will impact contracts with DoD.
Canadian companies working in the defence or financial sectors are already aware that strong practices for handling sensitive information are critically important. With the updated cybersecurity certification that will soon be required of all DoD contractors, how you protect your data will determine whether you can access lucrative U.S. military market opportunities.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to enhance the cybersecurity practices of companies working with the U.S. DoD. It was developed to address the increasing threats posed by cyberattacks and to protect the sensitive information and data associated with defense contracts.
The CMMC combines today’s many different cybersecurity standards — including those from the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the Aerospace Industries Association and others — into a single, unified standard for cybersecurity. In doing so, it gives the U.S. DoD a more straightforward mechanism for assessing and verifying contractors’ cybersecurity readiness, including their ability to protect protected information stored in and transmitted across their networks.
To comply with the CMMC requirements, organizations are required to undergo assessments to evaluate the organization’s cybersecurity practices and assign a maturity level based on their findings. The specific maturity level required depends on the organization’s involvement with DoD contracts and the sensitivity of the information they handle.
In alignment with section 4.1901 of the Federal Acquisition Regulation (FAR), Federal Contract Information (FCI) is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI Registry provides information on specific CUI categories and subcategories and can be accessed through the National Archives and DoD websites.
About CMMC 2.0
At its core, CMMC 2.0 focuses on protecting and securing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It requires organizations to adhere to a set of processes and procedures to protect their data from malicious actors.
The CMMC 2.0 program has three key features:
- Tiered Model:CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for requiring protection of information that is flowed down to subcontractors.
- Assessment Requirement: CMMC assessments allow DoD to verify the implementation of clear cybersecurity standards.
- Implementation through Contracts:Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
In the sections below, we provide more information about these features.
CMMC 2.0 model
With the implementation of CMMC 2.0, DoD intends to reduce the number of levels from 5 progressive levels to 3 progressive levels. DoD has posted the CMMC 2.0 model for Levels 1 and 2, their associated Assessment Guides, and scoping guidance for informational purposes. Level 3 information will be posted as it becomes available.
CMMC 1.0
5 increasingly progressive levels
- Level 1 –Basic Cyber Hygiene
- Level 2 –Intermediate Cyber Hygiene
- Level 3 –Cyber Hygiene
- Level 4 –Proactive
- Level 5 –Advanced/Proactive
CMMC 2.0
3 increasingly progressive levels:
- Level 1 (same as previous level 1)
- Level 2 (previous level 3)
- Level 3 (previous level 5)
As a result of the alignment of CMMC to NIST standards, DoD’s requirements will continue to evolve as changes are made to the underlying NIST SP 800-171 and NIST SP 800-172 requirements.
CMMC 2.0 assessments
CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Unlike CMMC 1.0 which required all DoD contractors to undergo third-party assessments for CMMC compliance, upon implementation of CMMC 2.0:
- Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.
- Contractors managing information critical to national security will be required to undergo CMMC Level 2 third-party assessments.
- The highest priority, most critical defense programs (Level 3) will require government-led assessments.
CMMC 1.0
Required all DoD contractors to undergo third-party assessments for CMMC compliance.
CMMC 2.0
- Allows majority of contractors, associated with Level 1 and a subset of Level 2 CMMC requirements, to perform annual self-assessments
- Some CMMC Level 2 requirements must be met via triennial third-party assessments
- Level 3 programs will require triennial assessments conducted by government officials
Level 1. Foundational – Annual self-assessment
For CMMC 2.0 Level 1 requirements and Level 2 requirements that do not involve information critical to national security requirements, self-assessments will suffice. These will be required on an annual basis, accompanied by an annual affirmation from a senior company official that the company is meeting requirements.
DoD intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS).
Level 2. Advanced – Third-party assessments
Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC Level 2 assessment for a subset of acquisitions that involve information critical to national security.
The CMMC Accreditation Body (The Cyber AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO). Accredited C3PAOs will be listed on The Cyber AB Marketplace.
The Defense Industrial Base (DIB) company (including Canadian companies) will be fully responsible for obtaining the needed assessment and certification, to include coordinating and planning the CMMC assessment. After the completion of the CMMC assessment, the C3PAO will upload the assessment report into CMMC EMASS, which DoD can access.
Level 3. Expert – Government-led assessments
This level of compliance is required for all contractors who handle controlled unclassified information that is used in the DoD’s highest priority programs. Most defense industry leaders must meet the requirements at this level.
Because this level requires the most stringent security, assessments are only needed every three years and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) must be engaged in this process.
CMMC 2.0 implementation
Once CMMC 2.0 is implemented, the required CMMC level for contractors and sub-contractors will be specified in the solicitation and in Requests for Information (RFIs). DoD plans to allow companies to receive contract awards with a plan to complete CMMC requirements. However, DoD may not allow some CMMC requirements to be achieved after contract award.
CMMC 1.0
No allowance for Plan of Actions and Milestones (POA&M) to complete CMMC requirements
CMMC 2.0
- Allows the use of for Plan of Actions and Milestones (POA&M)
- Highest weighted requirements cannot be on POA&M list
- DoD will establish a minimum score requirement to support certification with POA&Ms
Under CMMC 2.0, DoD intends to allow a limited waiver process to exclude CMMC requirements from acquisitions for select mission-critical requirements. DoD policies for Program Managers seeking CMMC waivers will require senior DoD leadership approval and will limit waiver duration.
CMMC 1.0
No allowance for waivers
CMMC 2.0
- Applied to entire CMMC requirement, not individual cybersecurity practices
- Allowed on a very limited basis in select mission critical instances, upon senior leadership approval
- Timelines imposed on a case-by-case basis to achieve CMMC compliance
CMMC updates 2024
On August 15, 2024, DoD published a new proposed rule that outlines how it will integrate the requirements for its CMMC program into the contracting process. Under the Proposed Rule:
- Contractors would be required to enter their CMMC certificate or self-assessment into the SPRS at the level specified in the contract clauses at the time of contract award.
- Contractors would need to have an affirmation of continuous compliance with the security requirements identified in 32 CFR 170 in the SPRS for each of the contractor information systems that process, store, or transmit FCI or CUI and that are used in the performance of the contract.
- For each contractor information system that processes, stores, or transmits CUI, the contractor would post the self-assessment or certification in SPRS, which would generate a DoD unique identifier (DoD UID) which would be reported to the contracting officer for each contractor information system that processes, stores, or transmits FCI or CUI during the performance of the contract.
- The contractor would be required to have and maintain the requisite CMMC level for the life of the contract.
- A senior company official for the contractor would need to complete and maintain on an annual basis, or when security changes occur, the affirmation of continuous compliance with the security requirements in 32 CFR 170.
- The contractor would need to notify the contracting officer of any changes in the contractor information systems that process, store, or transmit FCI or CUI during contract performance, including any updates to the corresponding DoD UIDs.
- The contractor would need to ensure that its subcontractors have the appropriate CMMC level prior to awarding a subcontract or other contractual instrument. The requirements of the clause must be included in subcontracts or other contractual instruments at all tiers so long as the subcontractor is processing, storing, or transmitting FCI or CUI.
Comments on the Proposed Rule are due Oct. 15, 2024 and could go into effect in 2025.
CMMC 2.0 timeline
When the DoD implements its CMMC program, it will be rolled out in four phases over two and a half years.
- Phase 1: Contractors must self-assess their compliance to CMMC Level 1 or 2 (whichever applicable) to be eligible for award. DoD may also include third-party CMMC Level 2 assessment requirements in certain contracts.
- Phase 2: Begins six months after Phase 1 and contractors will need to pass a third-party Level 2 CMMC assessment to be eligible for contracts with the CMMC Level 2 certification requirement. DoD may also include CMMC Level 3 certification assessment requirements in certain contracts.
- Phase 3: Begins one year after Phase 2 and DoD will extend the CMMC Level 2 certification assessment requirement to applicable contracts that were awarded prior to DoD’s finalization of the CMMC rule. This means that DoD will not exercise options on existing contracts unless the contractor has passed a third-party Level 2 CMMC assessment. DoD will also add CMMC Level 3 certification assessment requirements to all applicable contract awards.
- Phase 4: Begins one year after Phase 3 and will mark the full implementation of the CMMC program.
Getting ready for CMMC 2.0
As of June 2023, there has been no official announcement as to when industry will be required to comply with CMMC 2.0 requirements.
Since all DoD suppliers will have to be certified to the appropriate CMMC level to continue doing business with DoD, industry experts advise that organizations get started early. Rhia Dancel, CMMC registered practitioner, and Tony Giles, CMMC provisional assessor with NSF International Strategic Registrations (NSF-ISR) made the following recommendations in a recent article on nsf.org.
- Implement and assess information security processes – Develop a system security plan and conduct a self-assessment to NIST 800-171 standards.
- Improve processes and submit your score – Based on the results of your self-assessment, create a plan of actions and milestones with target dates to achieve a maximum score of 110. Next, submit the score into the DoD’s Supplier Performance Risk System (SPRS).
- Identify your scope – Decide what level you need to achieve for your enterprise, organization unit or program enclave. Note that the Cyber-AB, the accreditation body authorized to oversee all CMMC assessments and training, has only released the assessment guide for CMMC 2.0 Levels 1-2 so far.
- Get a preliminary gap assessment – Consider getting a preliminary gap assessment with an accredited, third-party assessment organization to identify gaps in your information security process.
- Address gap assessment findings – Fix identified information security gaps and implement these changes in your organization.
- Choose a C3PAO – Use the Cyber-AB Marketplace to identify a C3PAO and schedule your CMMC assessment.
- Undergo the CMMC assessment – Conduct your CMMC assessment with your selected C3PAO.
- Get certified – Cyber-AB reviews the assessment submitted by the C3PAO and makes a final decision on certification for your organization. If approved, your organization is awarded a three-year CMMC certification.
CMMC for Canadians
For Canadian exporters, the bottom line is simple: if you can achieve higher levels of cybersecurity certification, you’ll have access to more DoD opportunities. More importantly, if you don’t get certified, you won’t be eligible to bid on DoD contracts.
Many contractors likely won’t have to do anything new compared to what they’re currently doing in terms of cybersecurity, especially if they only need to meet the first two levels of certification under CMMC 1.0.
For most Canadian companies, the CMMC framework is a more formal mechanism to recognize the best practices they’ve already got in place. It may also be the beginning of a broader cybersecurity approach for all U.S. government contracting.
To get started on your CMMC certification, consult the cybersecurity ecosystem at Cyber AB, the official accreditation body of the CMMC Ecosystem and the sole authorized non-governmental partner of the U.S. DoD in implementing and overseeing the CMMC conformance regime. Its Marketplace provides the name of individuals and companies who will be able to assist you in achieving CMMC 2.0 compliance.
Also stay informed on the Canadian Program for Cyber Security Certification (CPCSC). Not only is it expected that CMMC and CPCSC will be equivalent, beginning in winter 2025, suppliers seeking to bid or work on select Government of Canada defence contracts must become CPCSC certified.
Sell to the U.S. DoD
This post was last updated on September 5, 2024.
This article will guide you through everything you need to know about DoD procurement
Learn how Canadian firms enjoy a unique relationship with the U.S. DoD market that allows them to compete on equal footing with American firms.
Let us help you explore ways that the Government of Canada can help you win more international deals.