Everything Defense Contractors Need to Know About CMMC 2.0

CMMC
CMMC

On November 4th, the Department of Defense (DoD) announced major revisions to the Cybersecurity Maturity Model Certification (CMMC). Since it first entered federal law in December of 2020, the CMMC has only undergone minor revisions, bringing it to version 1.02. Now the framework will jump ahead to version 2.0, with a streamlined system of security levels, introduction of a waiver process, and changes to the framework core.

While full details of the CMMC 2.0 update are still forthcoming, DoD officials have indicated that the update is intended to address longstanding concerns in the defense contracting community, especially among small-to-medium sized businesses (SMBs). Most significantly, the requirement for third-party assessment will be dropped for more than half of the defense industrial base, substantially reducing the compliance burden for many organizations.

While the new CMMC requirements will not show up on contracts for at least nine months, contractors who have been preparing for CMMC compliance will need that time to change their strategy and prepare for the new rule changes. In this article, we’ll explain what these rule changes are, and what they entail for your business.

New Direction for CMMC

Since it was first announced in 2019, the CMMC has provided a model for government agencies seeking to enforce better standards of cybersecurity compliance on their supply chain partners. After a historic year for cyberattacks that illustrates critical vulnerabilities among federal agencies and contractors, this goal has never been more important.

But – in the words of Deputy Assistant Secretary of Defense (DASD) for Industrial Policy, Jesse Salazar – the DoD has struggled to find a balance between “adopting the practices they need to thwart cyber threats” and “minimizing barriers to compliance”. Accordingly, lawmakers and industry leaders have expressed concerns that CMMC requirements are too onerous or costly for some defense contractors.

In its recent announcements, the DoD has signaled a new direction for CMMC that addresses these concerns: CMMC 2.0 will provide greater flexibility to small businesses in the defense contracting industry with less reliance on third-party assessment, and a more streamlined core framework.

CMMC 2.0 vs CMMC 1.02

As of November 29th 2021, the CMMC 2.0 framework is not publicly available, and while rules are expected to be made public in the near future – followed by a 60-day period for public comment – the rulemaking process may be extended through Fall of 2023.

Fortunately, the DoD has made some details available, primarily through the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) website, and through a notice issued on the 17th. With these sources in mind, here are some major differences between CMMC 2.0 and 1.02:

Streamlined Level System

Under CMMC 1.02, defense contractors were evaluated under five levels of security, ranging from “Basic,” “Intermediate” and “Good” cyber hygiene at levels 1-3, to an “Advanced” security program at Level 5. CMMC 2.0 eliminates levels two and four, leaving only three levels that roughly correspond to the original Level 1, Level 3 and Level 5.

  1. Level 1 “Foundational” – like the original Level 1, this level will include 17 “basic” security controls derived from Federal Acquisition Regulation (FAR) rules 52.204-21
  2. Level 2 “Advanced” – like the original Level 3, this level will include the 110 controls in National Institute of Standards and Technology (NIST) special publication (SP) 800-171. However, 20 additional rules have been eliminated, leaving only NIST-derived security controls.
  3. Level 3 “Expert” – little was known about the additional cybersecurity controls at the original Level 5. The picture is more straightforward for Level 3 under CMMC 2.0: in addition to the controls from NIST SP 800-171, organizations will be required to follow a subset of controls derived from NIST SP 800-172.

Ultimately, any “CMMC unique security practices” appear to have been eliminated from CMMC 2.0, directly mapping the core framework to existing FAR and NIST legislation alone. Furthermore, organizations will no longer be evaluated for “Process Maturity” or “Institutionalization” as they were under previous versions of CMMC.

Reduction of Third-Party Assessment

Under CMMC 1.02, all defense contractors were required to undergo assessment by a third-party assessment organization (C3PAO) once every three years, whether or not they stored controlled unclassified information (CUI) considered critical to national security. Under CMMC 2.0, this requirement has changed substantially.

Of the roughly 220,000 companies in the defense industrial base, 140,000 will fall under Level 1 of CMMC 2.0, meaning they will only be required to undergo self-assessment once per year with the oversight of a senior level executive. The same will go for companies at Level 2 who do not hold “critical” CUI – or about half of them.

At Level 3, companies will be required to undergo a triennial governmental assessment, although details are not yet available. This leaves about 40,000 companies at Level 2 who will still have to undergo third-party assessment once every three years.

Expanded Exceptions and Leniencies

Under CMMC 1.02, the conditions for contract award were straightforward: companies needed to be compliant, or lose eligibility. Under CMMC 2.0, the DoD will be more lenient, awarding contracts to some organizations without CMMC implementation, provided they submit a Plan of Action and Milestones (POA&M) and agree to abide by a hard deadline.

CMMC 2.0 will also introduce a limited waiver process which would allow organizations to forego some CMMC requirements under special circumstances. While these allowances would likely not apply to mission-critical security controls, many details of the process and its scope have not been clarified yet. Even so, a waiver process represents a radical departure from CMMC 1.02.

Preparing for CMMC 2.0

In some ways, CMMC 2.0 maintains substantial continuity with existing security legislation and compliance processes. In other ways, it is a major step forward, holding defense contractors to a high standard of accountability and cyber-readiness. While many questions about the updated program remain unanswered, it is not too early to start preparing with a few simple steps:

  1. Install C-Level officers to approve annual assessments – many organizations are familiar with the current self-certification process for NIST SP 800-171. Under CMMC 2.0, much of this process will remain the same, but organizations under Level 1 and Level 2 who are not storing prioritized CUI will need an executive level officer to sign off on the self-assessment.
  2. Take advantage of DoD resources – with the new direction of CMMC 2.0, the DoD has committed to helping its partners in any way it can, with resources like Project Spectrum, providing organizations with free educational materials and a cyber readiness check.
  3. Get a readiness assessment – since it is based on existing NIST regulations, it’s possible to start preparing your organization for compliance with CMMC 2.0 right now. A professional readiness assessment will reveal gaps in your systems and networks, establishing a roadmap for CMMC 2.0 compliance individualized to your organization.

Based on our years of experiencing conducting assessments for compliance with NIST standards that form the basis of CMMC 2.0, Securicon can perform readiness assessments and mock audits to help your organization prepare for the real thing. With a DoD background, our world-class experts are ready to take stock of your IT assets and build a security response plan that is tailored to your organization’s needs. Contact us to learn more.

How Zero Trust Push Will Transform the Government

zero trust architecture
zero trust architecture

2021 has been an eventful year for cybersecurity, especially in the federal space. Following a series of high-profile cyberattacks targeting government organizations and public infrastructure, the White House decided to take action this summer with a sweeping executive order that demands broad reforms to improve America’s cybersecurity posture.

Now, federal agencies like the Office of Management and Budget (OMB) are leading the charge with a new strategy for transformation centered on zero trust security. But zero trust is more than a buzzword, or list of new procedures and rituals: instead, it represents a paradigm shift that will impact federal organizations and contractors at every level.

At the end of Cybersecurity Awareness month, we reflect on these developments in the context of a rapidly changing threat landscape, and explore the role that zero trust security will play in hardening federal infrastructure against advanced cyber actors.

Our Current Cybersecurity Crisis

Last year’s attack on IT platform SolarWinds Orion brought renewed awareness to the problem of supply chain security, after it impacted more than 18,000 organizations, including 9 federal agencies and their suppliers. Only five months later, a ransomware attack on Colonial Pipeline highlighted the precarious vulnerabilities of America’s critical infrastructure.

It would be nice to imagine that either of these events were flukes, but that is not the case: according to a study of large enterprises, 64% have been impacted by software supply chain attacks within the last 12 months. Meanwhile, the cost from ransomware attacks is expected to reach $20 billion this year – a 57-fold increase from the cost in 2015.

While there are undoubtedly many reasons that account for the explosive rise of cyber incidents, the White House cited “outdated security models” as a factor in May’s ‘Executive Order on Improving the Nation’s Cybersecurity’. In turn, it mandated a number of correctives, including the adoption of ‘Zero Trust Security Architecture’ throughout the federal government.

The Philosophy of Zero Trust

The principles that will guide federal implementation of zero trust security are outlined in a draft, released by the OMB on September 7th for public comment. At a high level, the philosophy of zero trust shifts the focus of cybersecurity from the perimeter of an organization to its internal networks, treating every user, device and application like it is potentially a threat.

Today, it is common for organizations to harden their public-facing networks against attacks from the outside. Cyber actors focus on overcoming these barriers, and move laterally from their point of entry to higher value targets. While they will meet varying degrees of resistance along the way, there’s a good chance of success as long as they can get their foot in the door.

Under a zero trust model, getting past the door won’t be nearly enough: users will be continually verified with multi-factor authentication as they switch between applications and devices. Checks will be constantly performed, and privileges will only be distributed as needed. Best of all, it works equally well against threats on the inside.

The Zero-Trust Maturity Model

On the same day that OMB released its memo, the Cybersecurity and Infrastructure Security Agency (CISA) issued two documents: a draft technical reference architecture, and a Zero-Trust Maturity Model (ZTMM), which outlines the “optimal” zero trust environment that government organizations will be held to over the coming years.

The ZTMM draft aligns with five specific security goals outlined in the OMB’s memo, which agencies are required to meet by the end of September 2024:

  • Identity – personnel must receive an agency-wide identity to access work applications, with phishing-resistant, multi-factor authentication (such as the government’s Personal Identity Verification Standard, or PIV).
  • Devices – agencies must maintain a complete inventory of every device it authorizes for use on government networks, with the ability to detect and respond to any cyber incidents originating from them.
  • Networks – agencies must encrypt all DNS requests and HTTP traffic within their environment, and segment networks around applications. They are expected to encrypt emails in-transit, if the government identifies a reliable method for doing so.
  • Applications – all applications must be treated as Internet-connected, and subjected on a regular basis to “rigorous testing” with the help of external vulnerability reports.
  • Data – agencies should work together to deploy protections with the use of data categorization. Cloud security services are recommended to monitor sensitive data access, and implement enterprise-wide logging/information sharing.

Acknowledging the scale of transformation required to meet these goals, the OMB has called on agencies with strong cybersecurity programs to help those in a weaker position. It also anticipates that CISA will offer zero trust maturity surveys in the future, helping agencies to identify and remediate gaps.

The Benefits of Zero Trust

Ultimately, zero trust architecture is just one of many initiatives stemming from May’s executive order. But while it will not magically render organizations invulnerable to cyberattacks, it will bring about significant transformation in more ways than one:

  1. Constant validation of user identity, activity monitoring and segmentation of apps from networks will make attacking significantly harder, both for foreign cyber actors and malicious insiders.
  2. Complete and accurate device inventories will give government agencies significantly more control over their infrastructure, rapid insights and the ability to respond quickly in an emergency.
  3. Ultimately, implementation of zero trust models will accelerate modernization of federal IT by requiring agencies to break down siloes and coordinate information sharing.

Today, threat actors are moving fast. To protect national security, government agencies and contractors will have to move faster. For a long time, our federal infrastructure and cybersecurity strategy has stagnated – but the progress we’ve seen in a single year gives us reason to be hopeful.

Find Your Weaknesses

In its recent memo on zero trust, the OMB recommends that agencies rely on third party vulnerability assessments to identify and remediate application vulnerabilities. Don’t fall prey to the next SolarWinds: partner with cybersecurity experts who can probe your organization for gaps before they are exploited.

Securicon hardens organizations against current and developing threats. With years of expertise trusted by the DoD, DHS and U.S Cyber Command, we help our clients through vulnerability and penetration tests; governance, risk and compliance (GRC) services, and security architecture review. Contact us to learn more

DHS Exploring CMMC-Like Program: Will More Agencies Follow?

The Cybersecurity Maturity Model Certification (CMMC) program has been in effect for almost a year now. In the face of rising cybersecurity threats, the program is meant to provide more robust security standards for defense contractors and a method of enforcement via third-party assessors.

But beginning a few months ago, agencies beyond the Department of Defense (DoD) have expressed interest in following the CMMC or CMMC-like programs, and now the Department of Homeland Security (DHS) has joined their ranks. Over the next year, it’s likely that more will follow, and small business owners are concerned about the potential impact of an increased compliance burden.

In this article, we’ll take a look at the DHS’s recent special notice, its potential effects on small government contractors, and how the landscape for CMMC compliance is likely to change over the coming year.

The DHS Special Notice

On August 10th, the DHS issued a special notice, announcing its intent to “advance our process in assessing industry compliance with Cyber Hygiene clause requirements”. Cyber Hygiene clauses were first adopted by the DHS in 2015 – but until now, the agency has relied on contractor self-assessment to enforce them.

Now the agency hopes to change that with a program modelled on the CMMC. It states: “our end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award.” Since then, the agency has been engaged in a pathfinder assessment to determine the best way forward.

The decision mirrors a similar move by the General Services Administration (GSA), which began reserving the right to survey awardees of the Streamlined Technology Application Resource for Services (STARS) III contract for “CMMC level and ISO certification” last October. But CMMC adoption is unlikely to end there.

CMMC: The Perfect Tool for Contractor Assessment

Government agencies are facing increased cybersecurity risk, especially from ransomware and supply chain attacks. This year alone, the SolarWinds and Colonial Pipeline incidents have drawn attention to the need for increased vigilance and higher accountability, culminating in an executive order that demands both.

In this context, it’s easy to understand why agencies are increasingly relying on the CMMC: they need a way to evaluate contractors for cybersecurity preparedness, and CMMC is already designed with this goal in mind. Among other key advantages, it is:

  • Based on regulations from the National Institute for Standards and Technology (NIST), which are up-to-date, and designed to address emerging threats.
  • Divided into five certification tiers, ranging from basic cyber hygiene to protection against advanced cyber actors
  • Equipped with a ready-made enforcement mechanism through certified third-party assessment organizations (C3PAOs)

In order to cope with the federal government’s demand for increased cybersecurity, more agencies are likely to follow in the GSA and DHS’s footsteps, beginning with the largest. But how is this likely to impact contractors?

Impact on Contractors

Increased cybersecurity comes at a cost, and some businesses are concerned they won’t be able to fit the bill if civilian agencies decide to enforce the CMMC’s higher certification tiers. In June, small government contractors lobbied Congress for a more lenient certification process, asking the DoD to reserve Tier 1 certification standards for most companies in the defense industrial base (DIB).

With respect to financial impact, these concerns may be overblown: the DoD has long required compliance with NIST special publication (SP) 800-171 for all defense contractors. Under CMMC, most contractors will be required to meet Tier 3 certification or below, and Tier 3 is comparable to NIST 800-171 in cybersecurity level.

Outside the DIB, NIST 800-171 has also been adopted by the GSA, National Air and Space Administration (NASA) and other agencies on a contract-by-contract basis. For contractors of these organizations, CMMC-compliance will represent continuity with their existing cybersecurity burden.

Conclusion

Within the federal government’s service supply chain, even small businesses can represent a major cybersecurity risk: attackers can use them as an entry point for organizations further up the chain, and gain access to systems with classified information. As cyber actors become more sophisticated, a higher level of security becomes necessary across the board.

In the end, it makes a lot of sense for government agencies beyond the DoD to lean on CMMC standards. Civilian and non-DoD contractors should prepare by familiarizing themselves with the CMMC, conducting NIST 800-171 self-assessments, and partnering with experts who can help them to comply with the latest federal regulations.


Based on our years of experiencing conducting assessments for compliance with NIST regulations like SP 800-53 and SP 800-171 which form the basis of CMMC, Securicon can perform readiness assessments and mock audits to help your organization prepare for the real thing. With a DoD background, our world-class experts are ready to take stock of your IT assets and build a security response plan that is tailored to your organization’s needs. Contact us to learn more.

 

What Defense Contractors Need to Know About New DFARS Rules and CMMC Compliance

In 2019, the Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC), a new set of standards for cybersecurity compliance across the Defense Industrial base (DIB). Last December, the CMMC finally went into effect under an “interim rule” which gives organizations in the defense sector time to fully comply while the DoD prepares for enforcement.

Since 2017, organizations doing business with the federal government have been required to comply with the National Institute of Standards and Technology (NIST) special publication (SP) 800-171. The 110 security practices listed in NIST 800-171 have been incorporated and supplanted by CMMC with new rules to deal with modern threats. But just how much does this change for defense contractors?

In this article, we will explain the current status of CMMC under Defense Federal Regulation Supplement (DFARS) rules 252.204 – 7019. The new DFARS rules lay out a roadmap for CMMC implementation which will shape federal security for years to come.

What is CMMC?

In recent years, the number of cybersecurity threats to government agencies and contractors have multiplied due to many factors, including an increased number of cyber actors, growth of remote employment, and the Internet of Things (IoT). CMMC is focused on protecting Controlled Unclassified Information (CUI) from falling into enemy hands by responding to the problem of increased cybersecurity threats.

While NIST 800-171 shared the same purpose, its role was hindered by a self-certification process which sometimes resulted in substandard levels of compliance across DIB organizations. In the face of rising cyber incidents, the DoD has decided that stricter standards must be enforced.

The CMMC is envisioned as the next step in federal security compliance, requiring organizations to undergo a third-party assessment before they are eligible to apply for sensitive defense contracts. Despite stricter standards, the CMMC also provides greater flexibility through five tiers that recognize different levels of cybersecurity maturity.

The Interim Rule

Last November, the DoD unexpectedly issued an “interim rule” which creates a period of transition before CMMC is fully implemented. The details of this transition are outlined in an update to DFARS (DFARS 7019).

  • Rule 7019 – defense contractors that process, store or create CUI are still required to submit a NIST 800-171 self-assessment and submit their score until CMMC is fully implemented
  • Rule 7020 – if the government decides that a further assessment is necessary, defense contractors must grant access to their facilities, systems and employees.
  • Rule 7021 – the CMMC is now Defense Department policy. This rule lays out a timeline for compliance; an increasing number of contracts will formally require CMMC compliance until October 1st, 2025, when it will become a default requirement for all DoD contracts.

In the meantime, certified third-party assessment organizations (C3PAOs) must be verified by the CMMC Accreditation Body (AB). This may take some time: currently, there are only two such organizations, and no more than 360 are expected by the end of 2021.

CMMC: What You Need to Know Right Now

Due to the low number of C3PAOs, most organizations will be unable to receive the third-party assessment required for CMMC certification at this time. Until that changes, organizations should familiarize themselves with CMMC requirements under the interim rule and prepare to apply for certification at a later date.

Trust But Verify

With CMMC, the Defense Department is adopting a “trust but verify” policy. Moving forward, checking off boxes will not be enough: organizations will have to make a real commitment to cybersecurity if they want to be CMMC-certified.

During the third-party assessment process, employees will be interviewed, facilities will be inspected, and systems will be analyzed to ensure that proper protections have been implemented. Being prepared means adopting a mindset of cybersecurity and aligning organizational goals with the goals of CMMC.

Self-Verification Requirement

Until CMMC is fully implemented, organizations will still be required to perform NIST 800-171 self-assessments to ensure they are compliant with minimum standards. Under DFARS 7019, contractors must perform this assessment every three years in order to be considered for a contract award.

Guidelines for conducting a NIST 800-171 assessment can be found in NIST Handbook 162. Results must be documented for training purposes and submitted to the Supplier Performance Risk System (SPRS). This requirement will elapse on October 1st, 2025 when CMMC becomes mandatory for all defense contracts.

Cybersecurity Maturity

The “maturity” portion of CMMC is reflected in five certification tiers which recognize that different organizations are farther along in their cybersecurity program than others. These levels are summarized below:

  • Levels 1 – 3 – right now these are the only levels whose certification standards are fully known. They correspond to Basic, Intermediate and Good “cyber hygiene. Level 3 includes 130 total security practices, and is roughly equal to NIST 800-171 in the level of cybersecurity it provides.
  • Level 4 – includes “enhanced” security requirements for a “Proactive” security program. At Level 4, organizations are expected to be prepared for advanced persistent threat (APT) groups and their tactics.
  • Level 5 – entails highly optimized cybersecurity practices for an “advanced” security program. At this level, organizations must be able to defend sensitive data from advanced cyber actors.

When CMMC is fully implemented, all contractors handing CUI will be required to achieve level 3, just as all are currently required to meet the requirements of NIST 800-171. Level 3 will remain the most common certification level on DoD contracts, with levels 4 and 5 reserved for highly sensitive applications.

Prepare for CMMC With Securicon

Based on our years of experiencing conducting assessments for compliance with NIST regulations like SP 800-53 and SP 800-171 which form the basis of CMMC, Securicon can perform readiness assessments and mock audits to help your organization prepare for the real thing. With a DoD background, our world-class experts are ready to take stock of your IT assets and build a security response plan that is tailored to your organization’s needs.


Securicon provides information security solutions to public and private sector organizations. Our expert cyber security teams help our clients manage and secure their Information Technology (IT) and Operational Technology (OT) environments by providing vulnerability and penetration testing/assessments; governance, risk and compliance services (GRC) and security architecture review and design services.  Contact Us to learn more!