With the Department of Defense unveiling CMMC version 2.0 last November, many contractors breathed a sigh of relief. The relaxed assessment requirements and streamlined structure signaled a willingness from the DoD to work with assessors and contractors to find a way to promote security over Controlled Unclassified Information (CUI) without making the process harder than it needed to be.
However, a recent town hall from the DoD has shifted some of that relief and reasserted the requirement for third-party audits under CMMC.
What Is the CMMC 2.0 Update?
The original CMMC specification, retroactively named CMMC 1.0, was a way to streamline and standardize the requirements for handling CUI as dictated by the controls defined in the National Institute of Standards and Technology (NIST) Special Publication 800-171.
CMMC organizes the controls in NIST 700-171 into “maturity levels,” with the original version 1.0 using 5 different levels. Each level has an increasing number of controls and practices that they must implement, including a system of capabilities demonstrating the types of capacities they have organizationally (documentation, optimization, etc.).
CMMC 2.0 updated the original system to streamline some of its rougher edges and make compliance that much easier.
Some of the changes that were introduced to this effect include the following.
Three Simplified Maturity Levels
CMMC 2.0 includes a more reasonable and easier-grasped system with only three maturity levels.
- Level 1 is the entry into the framework and only requires implementation of 15 controls contained in NIST 800-171 and serves as the baseline for contractors to handle Federal Contract Information or FCI.
- Level 2 expands that requirement to all 110 controls in NIST 800-171 and represents the minimum achievement for contractors to handle CUI.
- Level 3 draws a select set of controls from NIST 800-172 on top of the Level 2 requirements and is a requirement for more advanced defense needs related to ongoing attacks and Advanced Persistent Threats (APTs).
The original CMMC framework required third-party audits through Third-Party Assessment Organizations (C3PAOs) certified by the CMMC Authorization Board (CMMC-AB). The new version loosened some of that requirement so that Level 1 and some Level 2 compliance tracks could work with self-assessments on the contractor’s part. The right to self-assess is given by the CMMC-AB on a case-by-case basis.
Plan of Action and Milestones (POA&M) Reports
Unlike other regulations like FedRAMP, CMMC version 1.0 explicitly eliminated the use of a POA&M and instead required that, in all cases, contractors must meet compliance requirements at the point of an audit. Version 2.0 allows POA&Ms to correct non-compliant systems with tentative certification in some contexts.
The overall goal of CMMC 2.0 was to make certification easier without sacrificing rigor or security. Instead of cutting out requirements, the Department of Defense (DoD) folded them into a smaller set of levels more closely tied to the existing NIST guidelines.
How Are Expectations Changing for Contractors?
One of the most significant changes between the two versions was the ability for organizations to self-attest. The demand for organizations to work with C3PAOs was important, as it generally required a non-biased and expert security firm to determine the security of a given business’s IT and data systems.
The opening of the door to self-attestation was seen by many as a major step in making the compliance requirements simpler. This is especially true with Level 1 maturity certification. At this level, the contractor requires only 17 of the full 110 NIST 800-171 controls. Furthermore, it doesn’t even confer the right to process or store CUI anyway–the contractor would need to pursue Level 2 compliance for that entirely.
During its announcement of the program, the DoD announced that of the roughly 80,000 contractors handling CUI, only an approximate 40,000 of them actually handle data that is sensitive enough to justify audits through C3PAOs.
What did this mean? As contractors were approaching CMMC compliance, nearly half directly handling CUI were expected to have the self-assessment option available to them–a huge break for some, as CMMC requirements take plenty of resources to implement and maintain.
During a recent town hall meeting, however, DoD Chief Information Officer (CIO) David McKeown admitted that their survey showed that every one of the 80,000 contractors under consideration would be expected to undergo third-party audits.
What changed? Simply put, the relationships of these contractors to the DoD supply chain and U.S. industry, coupled with the modern cybersecurity landscape, showed that it wasn’t realistic to demarcate “safe” CUI from “unsafe CUI.”
How does this impact contractors?
- Most companies have not met their CMMC requirements yet, per audit results. It’s going to be critical that these contractors align their business and IT processes with the new standard–especially now that there isn’t a self-assessment loophole to make auditing potentially easier.
- Contractors handling CUI will need to start forming a relationship with a C3PAO listed on the CMMC-AB Marketplace.
- With the understanding of the scope of audits needed, McKeown has openly stated that the DoD “isn’t married” to the planned 2025 timeline for full program rollout if it means making life easier for contractors attempting to meet their regulatory obligations.
Note that this doesn’t mean that all contractors, in general, are expected to undergo third-party audits. According to the DoD, there are still 140,000 contractors handling FCI at Level 1 that do not have the C3PAO requirement.
Arranging the Pieces for CMMC Compliance
If your services, products or organization are going to be part of CUI processing, it looks like there are no real alternatives to extensive C3PAO auditing. While the CMMC 2.0 standard eases compliance, its common knowledge that managing CUI, CMMC regulations and new compliance are all new and challenging processes. The DoD is admitting as such, and while there seem to signal that it is open about timelines, there is most likely little or no wiggle room in terms of adherence to NIST 800-171 and 800-172 controls.
Lazarus Alliance is a fully-featured security and compliance firm with a long history of managing government and private sector IT security. We are also a certified third-party assessment organization for both FedRAMP and CMMC regulations. Our Continuum GRC ITAMs platform is, at the time of this writing, the only FedRAMP and StateRAMP Authorized risk assessment platforms in the world.
Are you ready to prepare for your journey into CMMC compliance? Work with Lazarus Alliance.
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.