Complete Guide to CMMC 2.0 Compliance for Businesses

Updated 01/17/2024

Complete Guide to CMMC 2.0 Compliance for Businesses

The Cybersecurity Maturity Model Certification (CMMC) is a new framework developed by the U.S. Department of Defense (DoD) to ensure that defense industrial base (DIB) contractors properly protect sensitive information. CMMC 2.0 is the updated version of the framework, introducing significant changes and simplifications to the previous CMMC 1.0. This article will explain what CMMC 2.0 is, why it is essential, and how businesses can achieve compliance with it.

What is CMMC 2.0, and why is it important?

It is a unified cybersecurity standard that applies to all DIB contractors who work with the DoD. It is designed to enforce the protection of federal contract information (FCI) and supervised unclassified information (CUI) that the DoD shares with its contractors and subcontractors. FCI is any information that is not planned for public release and is delivered by or generated by the government under a contract. CUI is any information that needs safeguarding or dissemination commands under and consistent with laws, regulations, and government-wide policies.

CMMC 2.0 is important because it aims to enhance the cybersecurity of the DIB against evolving threats and protect the national security interests of the U.S. It also establishes a clear and consistent set of cybersecurity requirements for DIB contractors, as well as a formal third-party audit and certification process to verify compliance. CMMC 2.0 certification will become a prerequisite for DoD contract award, meaning that businesses that fail to comply will lose their eligibility to bid for and perform DoD contracts.

What are the main changes from CMMC 1.0 to CMMC 2.0?

CMMC 2.0 is a major revision of the CMMC framework that incorporates feedback from industry, Congress, and other stakeholders. The main changes from CMMC 1.0 to CMMC 2.0 are:

  • The number of levels was reduced from five to three: Foundational, Advanced, and Comprehensive.
  • The elimination of CMMC-unique practices and maturity processes and the alignment of cybersecurity requirements to other federal requirements and commonly accepted standards, such as NIST SP 800-171 and ISO/IEC 27001.
  • The introduction of self-assessments for Level 1 and some Level 2 acquisition programs instead of requiring third-party assessments by certified CMMC third-party assessor organizations (C3PAO).
  • The increase of oversight and quality assurance of the third-party assessment ecosystem, including the establishment of a DoD-led Cybersecurity Assessment and Authorization Board (CAAB) to oversee the accreditation and certification process.
  • More guidance and resources for DIB contractors to understand and implement the CMMC requirements, such as a CMMC 2.0 handbook, a CMMC 2.0 assessment guide, and a CMMC 2.0 training program.
CMMC 2.0 Compliance for Businesses

What are the compliance requirements for CMMC 2.0?

The compliance requirements for CMMC 2.0 depend on the level of certification that a DIB contractor needs to achieve, which is determined by the type and sensitivity of the information that they handle. The three levels of CMMC 2.0 are:

Level 1 (Foundational):

This level applies to DIB contractors who handle FCI only. It requires the implementation of 17 basic cybersecurity practices, such as using antivirus software, updating systems, and using strong passwords. It also involves a self-assessment of the contractor's cybersecurity posture, which must be submitted to the Supplier Performance Risk System (SPRS) prior to contract award. The self-assessment must be conducted using the DoD Assessment Methodology and must result in a score of at least 70 out of 100.

Level 2 (Advanced):

This level applies to DIB contractors who handle CUI associated with low to moderate-risk acquisition programs. It requires the implementation of 110 cybersecurity practices, which are derived from NIST SP 800-171 and ISO/IEC 27001. It also requires a third-party assessment by a C3PAO, which must result in a score of at least 90 out of 100. The assessment must be conducted using the CMMC 2.0 Assessment Guide and cover both the technical security controls and the contractor's documentation, policies, and processes. The assessment results must be submitted to the SPRS prior to contract award.

Level 3 (Comprehensive):

This level applies to DIB contractors who handle CUI associated with high-risk acquisition programs. It requires the implementation of 171 cybersecurity practices, which include the 110 practices from Level 2 plus 61 additional practices from NIST SP 800-171B and ISO/IEC 27001. It also requires a third-party assessment by a C3PAO, which must result in a score of at least 100 out of 100. The assessment must be conducted using the CMMC 2.0 Assessment Guide and cover both the technical security controls and the contractor's documentation, policies, and processes. The assessment results must be submitted to the SPRS prior to contract award.

Who needs to be CMMC compliant?

CMMC compliance is required for all DIB contractors who work with the DoD, regardless of their size, location, or industry. This means that any organization that provides goods or services to the DoD, either directly or indirectly, must comply with the CMMC requirements for their level of certification. The level of certification depends on the type and sensitivity of the information that the organization handles, stores, or transmits on behalf of the DoD. This information can be either FCI or CUI. Examples of CUI include technical data, research and development data, export-controlled data, and health information.

CMMC compliance is not required for cloud service providers (CSPs), as they are subject to different cybersecurity standards, such as FedRAMP. The government program gives a standardized practice for security assessment, authorization, and ongoing monitoring of cloud products and services. However, DIB contractors who use CSPs to store, process, or transmit FCI or CUI must ensure that the CSPs have at least a FedRAMP Moderate authorization. This means that the CSPs must meet the security controls specified in NIST SP 800-53, which are similar to the CMMC Level 2 requirements. Additionally, DIB contractors must ensure that the CSPs comply with the DFARS clause 252.204-7012, which requires reporting cyber incidents and preserving media.

How much does CMMC compliance cost?

The cost of CMMC compliance varies depending on the level of certification, the size and complexity of the DIB contractor’s organization, and the current state of their cybersecurity practices. The cost of CMMC compliance can be divided into two main categories: implementation cost and assessment cost.

  • Implementation cost: This is the cost of implementing the required cybersecurity practices, such as purchasing hardware, software, or services, hiring or training staff, or developing or updating documentation, policies, or processes. The implementation cost depends on the gap between the current and desired level of cybersecurity maturity and the resources available to close the gap. The DoD estimates that the average implementation cost for Level 1 is $1,000, Level 2 is $50,000, and Level 3 is $250,000.
  • Assessment cost: This is the cost of conducting the self-assessment or the third-party assessment, depending on the level of certification. The assessment cost depends on the scope, duration, and complexity of the assessment and the fees charged by the C3PAO. The DoD estimates that the average assessment cost for Level 1 is $500, Level 2 is $15,000, and Level 3 is $50,000.

The DoD intends to allow DIB contractors to include the reasonable and allowable costs of CMMC compliance as part of their contract pricing, subject to negotiation and consent by the contracting authority.

What are the CMMC requirements for subcontractors and suppliers?

CMMC requirements apply to all DIB contractors who handle FCI or CUI on behalf of the DoD, including subcontractors and suppliers. Prime contractors are liable for guaranteeing that their subcontractors and suppliers comply with the appropriate level of CMMC certification and for verifying their compliance status through the SPRS. Prime contractors must also communicate the CMMC requirements to their subcontractors and suppliers through their contracts and must report any non-compliance issues to the DoD.

Subcontractors and suppliers must comply with the same level of CMMC certification as the prime contractor unless the DoD specifies a different level for a particular subcontract or supply. Subcontractors and suppliers must also conduct their own self-assessments or third-party assessments and submit their results to the SPRS. Subcontractors and suppliers must also cooperate with the prime contractor and the DoD in any audits or investigations related to CMMC compliance.

Cybersecurity Maturity Model Certification

How to achieve CMMC compliance?

Achieving CMMC compliance requires a systematic and proactive approach that involves the following steps:

  • Identify the level of CMMC certification that is required for the current or desired DoD contracts and the type and location of FCI or CUI that the organization handles.
  • Run a gap analysis to evaluate the current state of the organization's cybersecurity practices and identify the areas that need improvement to meet the CMMC requirements.
  • Develop and perform a remediation plan to manage the gaps and document the evidence of compliance, such as policies, procedures, plans, records, or reports.
  • Conduct a self-assessment or a third-party assessment, depending on the level of certification, and submit the results to the SPRS.
  • Maintain and monitor the compliance status and implement continuous improvement measures to ensure that the organization stays compliant with the CMMC requirements.

CMMC compliance checklist

To help DIB contractors achieve CMMC compliance, we have prepared a checklist that summarizes the main steps and actions that need to be taken. The checklist is based on the CMMC 2.0 framework and the DoD guidance and is intended to provide a general overview of the compliance process. The checklist must be more comprehensive and replace the official CMMC 2.0 handbook, assessment guide, or training program. DIB contractors should consult with their legal, technical, and business advisors for specific guidance and support.

Step 1: Identify the level of CMMC certification

  • Review the current or desired DoD contracts and determine the CMMC certification level required for each contract.
  • Identify the type and location of FCI or CUI that the organization handles and map the data flow and storage across the organization and its subcontractors and suppliers.
  • Document the scope and boundary of the CMMC assessment and identify the systems, networks, and devices that are in scope.

Step 2: Conduct a gap analysis

  • Review the CMMC 2.0 handbook and assessment guide, and familiarize yourself with the cybersecurity practices and assessment objectives for each level of certification.
  • Perform a self-assessment of the organization's current cybersecurity posture and compare it with the CMMC requirements for the desired level of certification.
  • Identify and prioritize the gaps and weaknesses that need to be addressed and estimate the time and resources needed to close the gaps.

Step 3: Develop and implement a remediation plan

  • Develop a remediation plan that outlines the actions, milestones, and responsibilities for implementing the required cybersecurity practices.
  • Implement the remediation plan and document the evidence of compliance, such as policies, procedures, plans, records, or reports.
  • Test and validate the effectiveness of the implemented cybersecurity practices and address any identified issues or deficiencies.

Step 4: Conduct a self-assessment or a third-party assessment

  • Depending on the level of certification, conduct a self-assessment or a third-party assessment of the organization's cybersecurity posture and ensure that the assessment covers both the technical security controls and the documentation, policies, and processes.
  • Use the DoD Assessment Methodology for Level 1 self-assessments and the CMMC 2.0 Assessment Guide for Level 2 and Level 3 assessments.
  • Score the assessment results using the CMMC 2.0 scoring rubric and ensure that the score meets or exceeds the minimum score for the desired level of certification.

Step 5: Submit the assessment results to the SPRS

  • Submit the assessment results to the SPRS and ensure that the submission is accurate, complete, and timely.
  • For Level 1 self-assessments, submit the Basic Assessment Report (BAR) and the System Security Plan (SSP) to the SPRS.
  • For Level 2 and Level 3 assessments, submit the CMMC Assessment Report (CAR) and the SSP to the SPRS.
  • For Level 2 and Level 3 assessments, also provide the C3PAO with the authorization to share the assessment results with the DoD.

Step 6: Maintain and monitor the compliance status

  • Maintain and monitor the compliance status and ensure that the organization continues to meet the CMMC requirements for the current and future DoD contracts.
  • Implement continuous improvement measures to enhance the organization's cybersecurity maturity and address any changes or updates to the CMMC framework or the DoD requirements.
  • Cooperate with the DoD and the C3PAO in any audits or investigations related to CMMC compliance and report any incidents or breaches that affect the FCI or CUI.

Bottom Lines

CMMC 2.0 is a critical and mandatory requirement for all DIB contractors who work with the DoD. It is designed to ensure that the DIB contractors properly protect the FCI and CUI that the DoD shares and to enhance the cybersecurity of the DIB against evolving threats. CMMC 2.0 certification will become a prerequisite for DoD contract award, meaning that businesses that fail to comply will lose their eligibility to bid for and perform DoD contracts.

If you are a DIB contractor who works with the DoD, you need to be aware of the CMMC 2.0 framework and its implications for your business. CMMC 2.0 is a mandatory cybersecurity standard that aims to protect sensitive information and national security. Depending on the level of certification that you need, you may have to implement various cybersecurity practices and undergo third-party assessments to verify your compliance.

Consilien is a leading technology compliance company that specializes in helping contractors achieve CMMC 2.0 compliance. We have the experience, knowledge, and tools to help you navigate the CMMC 2.0 requirements and prepare for the certification process. We can help you assess your current cybersecurity posture, identify and remediate any gaps, and implement the best practices and solutions for your business. Reach out to our team to learn more!