Everything Defense Contractors Need to Know About CMMC 2.0

Posted on
CMMC
CMMC

On November 4th, the Department of Defense (DoD) announced major revisions to the Cybersecurity Maturity Model Certification (CMMC). Since it first entered federal law in December of 2020, the CMMC has only undergone minor revisions, bringing it to version 1.02. Now the framework will jump ahead to version 2.0, with a streamlined system of security levels, introduction of a waiver process, and changes to the framework core.

While full details of the CMMC 2.0 update are still forthcoming, DoD officials have indicated that the update is intended to address longstanding concerns in the defense contracting community, especially among small-to-medium sized businesses (SMBs). Most significantly, the requirement for third-party assessment will be dropped for more than half of the defense industrial base, substantially reducing the compliance burden for many organizations.

While the new CMMC requirements will not show up on contracts for at least nine months, contractors who have been preparing for CMMC compliance will need that time to change their strategy and prepare for the new rule changes. In this article, we’ll explain what these rule changes are, and what they entail for your business.

New Direction for CMMC

Since it was first announced in 2019, the CMMC has provided a model for government agencies seeking to enforce better standards of cybersecurity compliance on their supply chain partners. After a historic year for cyberattacks that illustrates critical vulnerabilities among federal agencies and contractors, this goal has never been more important.

But – in the words of Deputy Assistant Secretary of Defense (DASD) for Industrial Policy, Jesse Salazar – the DoD has struggled to find a balance between “adopting the practices they need to thwart cyber threats” and “minimizing barriers to compliance”. Accordingly, lawmakers and industry leaders have expressed concerns that CMMC requirements are too onerous or costly for some defense contractors.

In its recent announcements, the DoD has signaled a new direction for CMMC that addresses these concerns: CMMC 2.0 will provide greater flexibility to small businesses in the defense contracting industry with less reliance on third-party assessment, and a more streamlined core framework.

CMMC 2.0 vs CMMC 1.02

As of November 29th 2021, the CMMC 2.0 framework is not publicly available, and while rules are expected to be made public in the near future – followed by a 60-day period for public comment – the rulemaking process may be extended through Fall of 2023.

Fortunately, the DoD has made some details available, primarily through the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) website, and through a notice issued on the 17th. With these sources in mind, here are some major differences between CMMC 2.0 and 1.02:

Streamlined Level System

Under CMMC 1.02, defense contractors were evaluated under five levels of security, ranging from “Basic,” “Intermediate” and “Good” cyber hygiene at levels 1-3, to an “Advanced” security program at Level 5. CMMC 2.0 eliminates levels two and four, leaving only three levels that roughly correspond to the original Level 1, Level 3 and Level 5.

  1. Level 1 “Foundational” – like the original Level 1, this level will include 17 “basic” security controls derived from Federal Acquisition Regulation (FAR) rules 52.204-21
  2. Level 2 “Advanced” – like the original Level 3, this level will include the 110 controls in National Institute of Standards and Technology (NIST) special publication (SP) 800-171. However, 20 additional rules have been eliminated, leaving only NIST-derived security controls.
  3. Level 3 “Expert” – little was known about the additional cybersecurity controls at the original Level 5. The picture is more straightforward for Level 3 under CMMC 2.0: in addition to the controls from NIST SP 800-171, organizations will be required to follow a subset of controls derived from NIST SP 800-172.

Ultimately, any “CMMC unique security practices” appear to have been eliminated from CMMC 2.0, directly mapping the core framework to existing FAR and NIST legislation alone. Furthermore, organizations will no longer be evaluated for “Process Maturity” or “Institutionalization” as they were under previous versions of CMMC.

Reduction of Third-Party Assessment

Under CMMC 1.02, all defense contractors were required to undergo assessment by a third-party assessment organization (C3PAO) once every three years, whether or not they stored controlled unclassified information (CUI) considered critical to national security. Under CMMC 2.0, this requirement has changed substantially.

Of the roughly 220,000 companies in the defense industrial base, 140,000 will fall under Level 1 of CMMC 2.0, meaning they will only be required to undergo self-assessment once per year with the oversight of a senior level executive. The same will go for companies at Level 2 who do not hold “critical” CUI – or about half of them.

At Level 3, companies will be required to undergo a triennial governmental assessment, although details are not yet available. This leaves about 40,000 companies at Level 2 who will still have to undergo third-party assessment once every three years.

Expanded Exceptions and Leniencies

Under CMMC 1.02, the conditions for contract award were straightforward: companies needed to be compliant, or lose eligibility. Under CMMC 2.0, the DoD will be more lenient, awarding contracts to some organizations without CMMC implementation, provided they submit a Plan of Action and Milestones (POA&M) and agree to abide by a hard deadline.

CMMC 2.0 will also introduce a limited waiver process which would allow organizations to forego some CMMC requirements under special circumstances. While these allowances would likely not apply to mission-critical security controls, many details of the process and its scope have not been clarified yet. Even so, a waiver process represents a radical departure from CMMC 1.02.

Preparing for CMMC 2.0

In some ways, CMMC 2.0 maintains substantial continuity with existing security legislation and compliance processes. In other ways, it is a major step forward, holding defense contractors to a high standard of accountability and cyber-readiness. While many questions about the updated program remain unanswered, it is not too early to start preparing with a few simple steps:

  1. Install C-Level officers to approve annual assessments – many organizations are familiar with the current self-certification process for NIST SP 800-171. Under CMMC 2.0, much of this process will remain the same, but organizations under Level 1 and Level 2 who are not storing prioritized CUI will need an executive level officer to sign off on the self-assessment.
  2. Take advantage of DoD resources – with the new direction of CMMC 2.0, the DoD has committed to helping its partners in any way it can, with resources like Project Spectrum, providing organizations with free educational materials and a cyber readiness check.
  3. Get a readiness assessment – since it is based on existing NIST regulations, it’s possible to start preparing your organization for compliance with CMMC 2.0 right now. A professional readiness assessment will reveal gaps in your systems and networks, establishing a roadmap for CMMC 2.0 compliance individualized to your organization.

Based on our years of experiencing conducting assessments for compliance with NIST standards that form the basis of CMMC 2.0, Securicon can perform readiness assessments and mock audits to help your organization prepare for the real thing. With a DoD background, our world-class experts are ready to take stock of your IT assets and build a security response plan that is tailored to your organization’s needs. Contact us to learn more.

NIST 800-53 Rev. 5: What it Is, and Why You Should Care

Posted on
NIST, security and privacy controls
NIST, security and privacy controls

Later this year, the National Institute for Standards and Technology (NIST) will release revision #5 to Special Publication SP 800-53 Security and Privacy Controls for Information Systems and Organizations, a key framework documenting recommended security controls for federal information systems. Soon, government agencies, contractors and FedRAMP certified vendors will be rushing to update their systems before the guidelines go into effect.

As the de facto standard for compliance with the Federal Information Security Management Act (FISMA), SP 800-53 directly applies to any federal organization (aside from national security agencies), and indirectly to non-federal organizations via SP 800-171. In this article, we’ll summarize the contents and newest revisions.

Establishing Security Controls

To maintain security, any IT system must observe basic security controls to prevent threat incidents and establish proper responses. On an ongoing basis, NIST compiles and documents controls recommended to it by research groups including the Information Technology Laboratory (ITL).

The most recent edition (Rev. 4) of SP 800-53 includes 212 controls distributed across 18 control families designated by acronyms, such as “AC” for “Access Control,” “IR” for “Incident Response” and “CM” for “Configuration Management”. Controls are ranked according to three (3) tiers of impact ranging from “low” to “moderate” to “high,” and fall into three types:

  • Common – used throughout an organization
  • Custom – specific to an application or device
  • Hybrid – standard control customized by an organization

SP 800-53 is very useful as reference material for designing security plans, and its controls are used as a basis for other special publications/regulations. However, to actually protect an organization it must be implemented according to a Risk Management Framework (RMF).

The NIST RMF

SP 800-53 contains outlines for a standardized Risk Management Framework. For this purpose, it is commonly used in conjunction with SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems:  A System Life Cycle Approach for Security and Privacy which details the formal certification and accreditation process.

The NIST RMF guides organizations through a comprehensive risk management and response plan in six (6) stages:

  1. Categorize – determine the category of information systems based on type of information processed and threat impact
  2. Select – select baseline security controls to mitigate risk
  3. Implement – implement and describe how the security controls have been deployed
  4. Assess – assess performance, correct implementation, and outcome of the security controls
  5. Authorize – authorize operation of the system based on its overall risk to an organization, its assets, mission, and personnel
  6. Monitor – monitor security controls on a regular basis and record performance, reporting concerns to appropriate organizational officials when necessary

Due to its methodological rigor, the NIST RMF gives organizations a high degree of precision in determining risk, mitigating threats, and maintaining accountability before regulatory bodies.

Who Does SP 800-53 Apply To?

SP 800-53 directly applies only to federal agencies. However, the publication is used as the basis for many other programs and should be referred to by anyone to whom they apply. This includes:

  • – Cloud Service Providers (CSPs) authorized under a FedRAMP program are required to use SP 800-53 controls to secure their services and facilities
  • – since SP 800-53 is used as the basis for FISMA[BS1], state agencies and any contractors partnered with the federal government will also have to comply
  • Defense Federal Acquisition Regulations (DFARS) – while  SP 800-171[BS2]  initially imported security controls from SP 800-53, the controls have since been adjusted to better protect controlled unclassified information (CUI) specifically. Nevertheless, SP 800-53 is recommended as a useful reference for non-federal businesses required to comply with DFARS, and is more and more being used as a reference for non-Federal security programs, such as to form a baseline for protection of Industrial Control Systems (ICS) in some industries.

In general, it is safe to assume that as an organization conducting any business with the U.S government, SP 800-53 or some portion of it will apply to information systems used during the contract.

Changes in Revision 5

Because SP 800-53 applies to all U.S. agencies and government partners, it goes without saying that compliance is mandatory, and systems should be updated to reflect new revisions as soon as they are released.

Revision 5, to be released later this year, brings with it a new emphasis on privacy, expanded security controls and changes to control categories:

  • Outcome-based (as opposed to impact-based) controls
  • New emphasis on privacy: integration of privacy controls with security controls, and better integration with cybersecurity/risk management
  • Separation of control selection from actual controls
  • New controls based on threat intelligence

Revision 5 will go into effect in 2020, a year from the date of its official release. In the meanwhile, preparing to comply will help your organization to be ready. To learn more about the latest version of SP 800-53, view the draft on NIST’s website.

Securicon Can Help

To become NIST 800-53 compliant and avoid costly violations, organizations must take security seriously, take stock of their IT assets and fix vulnerabilities before they can be exploited. With a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!