CMMC Overview and Guides

The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework launched by the Department of Defense (DoD) to protect the defense industrial base from cybersecurity threats.

CMMC was designed to ensure that defense contractors are meeting at least a basic level of cybersecurity hygiene to protect sensitive defense information. To that end, CMMC subjects all DoD contractors to third-party cybersecurity assessments.

What is CMMC?

CMMC’s goal is to ensure the protection of sensitive defense information. Defense information can be categorized into two types:

• Controlled Unclassified Information (CUI): in general, this is information marked or identified in a government contract as requiring protection under the CUI program.
• Federal Contract Information (FCI): information not intended for public release, that is provided by or generated for the government under a contract to develop or deliver  a product or service to the government.

As a defense contractor, it’s important to understand the type of information shared in the relevant DoD contract, because this will determine the level of protection you’ll need to implement in order to ensure that cybersecurity risks are mitigated. CMMC is based on an ascending level of preparedness, the level of protection required varies. The level ranges from basic cyber hygiene at Level 1 to advanced or progressive cybersecurity at higher levels. Generally, for FCI data, level 1 is required and for CUI data, level 2 and/or 3 are required.

The CMMC framework was enacted in 2020 and has since then undergone a series of changes.

CMMC 1.0

CMMC version 1.0 was released in November 2020 and included:

• Five (5) levels of Cyber Hygiene
  • Level 1 – Basic
  • Level 2 – Intermediate
  • Level 3 – Good
  • Level 4 – Proactive
  • Level 5 – Advanced
• 17 Domains
• 170+ practices
• Processes: Maturity Levels 2-5
• Certification requirements: Third-party assessments and certification required for Level 1, 3 and 5. Level 2 and 4 were regarded as transitional levels and did not warrant an assessment.

CMMC 2.0

In November 2021, the DoD announced the release of CMMC 2.0. Version 2.0 includes several modifications relative to the prior version:

• Three (3) levels of Cyber Hygiene
  • Level 1 – Foundational
  • Level 2 – Advanced
  • Level 3 – Expert
• 17 domains
• 110+ practices.
• Certification requirements:  Triennial government-led assessments and certification are required for Level 2 (for contracts containing critical national security information) and Level 3. Level 1 and Select programs of Level 2 programs can be self-assessed.

CMMC 2.0 differs from 1.0 in the following key ways:

• It trims the number of CMMC levels from five to three.
• CMMC 2.0 is aligned with the 110 security controls of NIST SP 800-171. The new Level 2 certification will indicate that an organization is able to securely store and share CUI.
• Whereas Plans of Actions and Milestones (POAMs) were not allowed in 1.0, CMMC 2.0 will allow for limited use of POAMs. POAMs can only be used for 1 and 3 point controls and a very limited number of 5 point controls.
• Waivers for certification will be permitted in very limited circumstances.

What are Plans of Actions and Milestones (POAMs) ?

As a defense contractor, Plans of Action and Milestones (POAMs) is a necessary part of your compliance strategy. POAMs give organizations a path to compliance  by  indicating the specific measures to take to correct deficiencies found or to meet the CMMC controls requirements.  POAMs allows organizations to continue to bid for contracts before achieving full compliance.

The POAMs should not only include the security tasks, but also the resources that will be required, the milestones that must be met and the completion dates for those milestones activities.

What are the CMMC Version 2.0 Levels?

CMMC 2.0 lowers the number of CMMC levels from five to three (Level 1, Level 2 and Level 3) and includes cybersecurity best practices across 17 domains.

• Level 1 (Foundational) only applies to companies that focus on the protection of FCI. It is comparable to the old CMMC Level 1. Level 1 is based on the 17 controls and focuses on the protection of FCI.
• Level 2 (Advanced) is for companies working with CUI. It is comparable to the old CMMC Level 3. The CMMC 2.0 Level 2  aligns with the 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) SP-800-171 to protect CUI  and eliminates practices and maturity processes that were unique to CMMC.
• Level 3 (Expert) is designed for companies working with CUI on DoD’s highest priority programs. It is comparable to the old CMMC Level 5. The DoD is still determining the specific security requirements for the Level 3 (Expert), but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls

The CMMC certification process

CMMC certifications are valid for three years, and are conducted via third-party assessments, which are led by authorized and accredited assessors, known as C3PAOs. The C3PAO then issues a CMMC certificate based on the results of the assessment.

The difficulties in getting a certification lie with the fact that there are not many C3PAOs, which means that finding time on a C3PAO’s schedule can be a lengthy process. If you are interested in finding whether a third-party assessor is C3PAO, check out the CMMCAB.org directory.

Who Should Pursue a CMMC certification?

CMMC is required of any individual, contractor, subcontractors and agencies who interact exclusively with the Department of Defense (DOD). This can be a lot of organizations.

Most businesses will require only a Level 1 to Level 3 certification.

The precise level of certification is defined in the Request For Proposal (RFP) contract with the DOD.

What will this cost me?

Traditionally, CMMC can cost anywhere from $50,000 to $100,000 when you factor in the cost of the audit firm, as well as internal costs including productivity, staff training, and resources needed to meet specific requirements.

At TrustCloud, we believe compliance shouldn’t cost an arm and a leg. We want to make the readiness and audit process both affordable and simple. We’ve broken the cost down into two areas:

1. Cost of a CMMC compliance readiness using the TrustCloud platform – FREE for startups… By automating much of the process and  a transparent and straightforward pricing structure we make it easier for you to manage the overall cost of achieving CMMC readiness
2. An auditor. We’ve developed strong relationships with a number of audit firms. Not only does this mean that they are trained on the platform and know how to evaluate your business, they are also able to pass along sizable discounts as a result of a referral from TrustCloud. CMMC audit partners in the TrustCloud network charge between $15,000 – $30,000 for CMMC audits, based on the maturity and complexity of the engagement.

If you think about it, we’ve created a win-win-win scenario.

How long is the CMMC process going to take?

Without TrustCloud, you would be looking at a very manual and tedious process that could take up to a year. During this time, you would need to understand each requirement and how it applies to your business, conduct the necessary testing, accumulate all the evidence proving your compliance in a single location, and draft the right documentation. This estimate doesn’t include the time an auditor needs to evaluate your business and observe your practices.

Click to the next article to understand how to get started with CMMC!