CMMC Overview and Guides

The CMMC Overview and Guides talk about the Cybersecurity Maturity Model Certification (CMMC), a comprehensive framework launched by the Department of Defense (DoD) to protect the defense industrial base from cybersecurity threats.

CMMC is designed to ensure that defense contractors are meeting at least a basic level of cybersecurity hygiene to protect sensitive defense information. To that end, CMMC subjects all DoD contractors to third-party cybersecurity assessments.

What is CMMC?

CMMC’s goal is to ensure the protection of sensitive defense information. Defense information can be categorized into two types:

1. Controlled Unclassified Information (CUI): in general, this is information marked or identified in a government contract as requiring protection under the CUI program.
2. Federal Contract Information (FCI): information not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government.

As a defense contractor, it’s important to understand the type of information shared in the relevant DoD contract because this determines the level of protection you need to implement in order to ensure that cybersecurity risks are mitigated. CMMC is based on an ascending level of preparedness; the level of protection required varies. The level ranges from basic cyber hygiene at Level 1 to advanced or progressive cybersecurity at higher levels. Generally, for FCI data, level 1 is required, and for CUI data, levels 2 and/or 3 are required.

The CMMC framework was enacted in 2020 and has since undergone a series of changes.

CMMC 1.0

CMMC version 1.0 was released in November 2020 and included:

1. Five (5) levels of Cyber Hygiene
   • Level 1 – Basic
   • Level 2 – Intermediate
   • Level 3 – Good
   • Level 4 – Proactive
   • Level 5 – Advanced
2. 17 Domains
3. 170+ practices
4. Processes: Maturity Levels 2-5
5. Certification requirements: Third-party assessments and certification are required for Levels 1, 3, and 5. Levels 2 and 4 are regarded as transitional levels and do not warrant an assessment.

CMMC 2.0

In November 2021, the DoD announced the release of CMMC 2.0. Version 2.0 includes several modifications relative to the prior version:

1. Three (3) levels of Cyber Hygiene
   • Level 1 – Foundational
   • Level 2 – Advanced
   • Level 3 – Expert
2. 17 domains
3. 110+ practices.
4. Certification requirements: triennial government-led assessments and certification are required for Level 2 (for contracts containing critical national security information) and Level 3. Level 1 and select Level 2 programs can be self-assessed.

CMMC 2.0 differs from 1.0 in the following key ways:

1. It reduces the number of CMMC levels from five to three.
2. CMMC 2.0 is aligned with the 110 security controls of NIST SP 800-171. The new Level 2 certification will indicate that an organization is able to securely store and share CUI.
3. Whereas Plans of action and Milestones (POAMs) were not allowed in CMMC 1.0, CMMC 2.0 allows for limited use of POAMs. POAMs can only be used for 1 and 3 point controls and a very limited number of 5 point controls.
4. Waivers for certification are permitted in very limited circumstances.

What are Plans of Actions and Milestones (POAMs)?

As a defense contractor, Plans of Action and Milestones (POAMs) are a necessary part of your compliance strategy. POAMs give organizations a path to compliance by  indicating the specific measures to take to correct deficiencies found or meet the CMMC control requirements. POAMs allow organizations to continue to bid for contracts before achieving full compliance.

The POAMs include the security tasks and also the resources that are required, the milestones that must be met, and the completion dates for those milestone activities.

What are the CMMC Version 2.0 Levels?

CMMC 2.0 lowers the number of CMMC levels from five to three (Level 1, Level 2 and Level 3) and includes cybersecurity best practices across 17 domains.

1. Level 1 (Foundational) only applies to companies that focus on the protection of FCI. It is comparable to the old CMMC Level 1. Level 1 is based on the 17 controls and focuses on the protection of FCI.
2. Level 2 (Advanced) is for companies working with CUI. It is comparable to the old CMMC Level 3. CMMC 2.0 Level 2 aligns with the 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) in SP-800-171 to protect CUI and eliminates practices and maturity processes that were unique to CMMC.
3. Level 3 (Expert) is designed for companies working with CUI on DoD’s highest priority programs. It is comparable to the old CMMC Level 5. The DoD is still determining the specific security requirements for Level 3 (Expert), but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls

The CMMC certification process

CMMC certifications are conducted via third-party assessments, which are led by authorized and accredited assessors, known as C3PAOs, and are valid for three years. The C3PAO then issues a CMMC certificate based on the results of the assessment.

The difficulties in getting a certification lie with the fact that there are not many C3PAOs, which means that finding time on a C3PAO’s schedule is a lengthy process. If you are interested in finding out whether a third-party assessor is a C3PAO, check out the CMMCAB.org directory.

Who Should Pursue a CMMC certification?

CMMC is required of any individual, contractor, subcontractor, or agency that interacts exclusively with the Department of Defense (DOD).

Most businesses require only a Level 1 to Level 3 certification.

The precise level of certification is defined in the Request For Proposal (RFP) contract with the DOD.

What will this cost me?

Traditionally, CMMC can cost anywhere from $50,000 to $100,000 when you factor in the cost of the audit firm as well as internal costs including productivity, staff training, and resources needed to meet specific requirements.

At TrustCloud, we believe compliance shouldn’t cost an arm and a leg. TrustCloud wants to make the readiness and audit processes both affordable and simple. The cost is broken down into two areas:

1. The cost of CMMC compliance readiness using the TrustCloud platform is FREE for startups because it automates much of the process and has a transparent and straightforward pricing structure. TrustCloud makes it easier for you to manage the overall cost of achieving CMMC readiness
2. An auditor. TrustCloud has developed strong relationships with a number of audit firms. This means that they are trained on the platform and know how to evaluate your business; they are also able to pass along sizable discounts as a result of a referral from TrustCloud. CMMC audit partners in the TrustCloud network charge between $15,000 and $30,000 for CMMC audits, based on the maturity and complexity of the engagement.

How long is the CMMC process going to take?

Without TrustCloud, you would be looking at a very manual and tedious process that could take up to a year. During this time, you need to understand each requirement and how it applies to your business, conduct the necessary testing, accumulate all the evidence proving your compliance in a single location, and draft the right documentation. This estimate doesn’t include the time an auditor needs to evaluate your business and observe your practices.

Learn more about CMMC compliance automation with TrustOps!

Click on the next article to understand how to get started with CMMC!