Adversaries of the United States understand that defense contractors are easier targets than the Department of Defense (DoD) itself because their cyber protections are often weaker. To address this issue, the DoD created the Cybersecurity Maturity Model Certification (CMMC), which requires contractors to meet strict cybersecurity standards and prove their compliance through a third-party assessment.
Intellectual property theft (IP) in the defense industry can weaken the U.S. advantage in technology, making it a risk to national security. To help protect unclassified information, the DoD works with contractors to improve cybersecurity using the CMMC framework. This helps the entire defense industry better protect valuable information.
The CMMC framework combines cybersecurity practices from various sources, such as defense contractors and the DoD, and organizes them into categories with different maturity levels. By aligning these practices with specific capabilities, the CMMC framework ensures that defense contractors have strong cybersecurity strategies in place to protect their valuable information and keep the U.S. technologically ahead of its adversaries.
When Will CMMC 2.0 Go into Effect?
The first version of the cybersecurity standards was released for consideration in February 2020. Then, after gathering feedback from agencies and contractors, the Department of Defense (DoD) began a period of revisions and provided a tentative timeline for implementation. The CMMC 2.0 requirements were expected to be in all new contracts by October 2025, but due to the rule-making process, it now seems they won’t appear in solicitations until May 2023, considering that the comment period is usually open for 60 days.
What to Expect: CMMC 2.0 Timeline
Introduction of New Version
Initial Draft of CMMC 2.0 Released
Revision Period
The DoD collected feedback and works to make the appropriate revisions to CMMC 2.0.
Finalization Period
Finalization of CMMC 2.0 requirements
Comment Period
60-day window for companies to provide feedback on the new CMMC requirements
Final Version Released
Expected release of finalized CMMC 2.0
Implementation Period
Roll out of CMMC 2.0 for defense contracts
Compliance Deadline
CMMC 2.0 compliance required
The process of implementing CMMC across all defense contracts will take three years, with the goal of finishing by October 1, 2025. To receive a contract with the necessary requirements, you’ll need to have full CMMC certification.
The new version, 2.0, reduces the certification levels from five to three and includes other changes to better address threats and align with industry standards. If you’re a DoD contractor, you need to figure out the kind of information you’re managing and the CMMC level you need to maintain your contracts.
How Is CMMC 2.0 Different from the 1.0 Version?
Between 2020 and 2023, the DoD has introduced modifications in response to feedback on CMMC 1.0. Their goal was to minimize expenses and bureaucratic hurdles, especially for small businesses, enhance confidence in the CMMC evaluation framework, and better align cybersecurity requirements with other federal mandates and widely recognized standards.
CMMC 2.0 differs from the 1.0 version in two main ways: the reduction of maturity levels and changes to assessment requirements.
Streamlined Maturity Model
In CMMC 2.0, the number of maturity levels has been streamlined from five to three, eliminating Levels 2 and 4 from the previous version. The three new levels in CMMC 2.0 directly correlate to existing federal requirements: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).
Lower Barrier to Certification
Assessment requirements have also been modified in CMMC 2.0. Level 1 contractors can now perform annual self-assessments, while Level 2 contractors can complete self-assessments and submit senior official affirmations for non-prioritized acquisitions or require third-party assessments for prioritized acquisitions. Level 3 contractors must undergo triennial CMMC certification conducted by government officials.
More Rigorous Requirements
CMMC 2.0 regulations represent a major shift in cybersecurity expectations for Department of Defense contractors. Compared to previous security frameworks, CMMC Level 2 compliance in particular requires much more rigorous preparation and investment. The controls and documentation standards under CMMC are more advanced than other common frameworks, like ISO 27001, PCI, and HIPAA.
By making CMMC certification mandatory for DoD contractors, the government is compelling private sector companies to adopt sophisticated best practices. Meeting the elevated compliance bar set by CMMC 2.0 will demand substantial time, resources, and organizational maturity compared to cybersecurity expectations in the past.
Third-Party Assessment Is Required
It’s also important to note that independent third-party audits will now be explicitly necessary to certify compliance and perform site inspections, rather than self-assessments.
“A few years ago, the DoD did an audit of companies that had completed the CMMC compliance self-assessment and found that only something like 10-15% of those entities were actually complying. So, this spurred a new requirement. They said, ‘well, this self-assessment thing is not cutting it; we’re getting only a 10% assurance level…We need a more formal program.’ And now we expect that level 2 compliance, and higher, will have to be attested to by third-party assessors, or C3PAOs in this case.”
– Ian Terry, SO/IEC 27001 LA, PCI-DSS QSA, CISSP, and Director of Cybersecurity Services at AWA.
How Long Will It Take to Get in Compliance with the New Version of CMMC?
On average, it takes about 12-18 months for a company with 50-100 employees to get in compliance with the NIST SP 800-171 guidelines, which are the basis for CMMC Level 2. Most businesses are over a year late due to possible changes in the rules. To be prepared for new rules in May 2023, companies should have started working on this in late 2021 or early 2022. If there is a proposed rule change, they need to start implementing it in early 2023.
What Is the Significance of CMMC?
The enforcement of CMMC compliance shows how the government can advocate for enhanced cybersecurity protocols without explicitly legislating them. This illustrates the government’s ability to use a single approach to compel a greater number of private sector organizations to bolster their security by adopting the CMMC standard. Although it is somewhat based on NIST, the CMMC is an independent certification system not created by the federal government. Nevertheless, it has become mandatory for Department of Defense contractors and subcontractors.
Is CMMC Replacing NIST?
No, CMMC is not replacing NIST standards. Although it is somewhat based on NIST, the CMMC is an independent certification system not created by the federal government.
CMMC is a certification framework that is designed to ensure contractors’ compliance with existing NIST standards, such as NIST SP 800-171 and a subset of NIST SP 800-172. CMMC was created to address the low levels of adoption of NIST SP 800-171 among DoD contractors. While CMMC certification helps verify compliance with certain NIST requirements, contractors still need to comply with all NIST SP 800-171 requirements, including both CUI and NFO controls.
How long is CMMC good for?
CMMC certification is valid for 3 years. Typically, organizations must undergo reassessment every three years for Level 2 and Level 3, as a CMMC certificate has a validity of three years. However, CMMC Level 1 self-assessments must be carried out yearly.
Can You Self-Certify CMMC?
Yes, you can self-certify for CMMC under certain circumstances. With the move to CMMC 2.0, Level 1 contractors are allowed to perform annual self-assessments. Level 2 contractors can also complete self-assessments and submit senior official affirmations for non-prioritized acquisitions.
For any other level of compliance certification, including level-two prioritized acquisitions, a certified third-party assessor organization will be required for attestation.
Does CMMC Certification Require an Audit?
Yes, Level 3 contractors are required to undergo CMMC certification conducted by government officials every three years, and Level 2 contractors must obtain third-party assessments for prioritized acquisitions.
“The DoD will only accept CMMC assessments provided by the Government or an authorized and accredited C3PAO or certified CMMC Assessor. C3PAOs shall use only certified CMMC assessors for the conduct of CMMC assessments,” states the Department of Defense on its website.
What Happens If You Fail to Comply with CMMC?
There are no direct fines for not following these rules yet, but companies that don’t follow them won’t be able to work on defense contracts. The DoD plans to conduct random checks to ensure companies follow the rules and compare them to what they’ve declared.
Companies need to follow the rules in the Supplier Performance Risk System (SPRS) and the Defense Federal Acquisition Regulation Supplement (DFARS), which many may already know about. If a company lies about following these rules, it could face fines and penalties under the False Claims Act (FCA).
Do subcontractors need to be CMMC certified?
Yes, subcontractors need to be CMMC certified if they work with certain types of sensitive information, like Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). The Department of Defense (DoD) ensures that prime contractors and subcontractors protect this information by including special rules in their contracts.
The CMMC program checks that subcontractors follow cybersecurity standards, such as NIST SP 800-171, when they need to protect CUI. Sometimes, the DoD might ask for an official certification instead of just a self-assessment. This requirement also extends to equipment manufacturers and material suppliers, even if they don’t directly provide their products to the DoD.
If a defense company doesn’t work with CUI but does work with FCI, they need to do a CMMC Level 1 self-assessment. They must send the results and a yearly statement from a high-ranking company official to the Supplier Performance Risk System (SPRS).
Learn more about our complete CMMC compliance services.
References
Northwest Industrial Resource Center: Scott Dawson, “Will CMMC Take Effect in March 2023?,” March 2023.
Security Boulevard, “CMMC 2.0: Phased Implementation Begins This Year. Are You Ready?,” January 2023.
U.S. Department of Defense, Chief Information Officer, “CMMC FAQs,” 2020.
