What are the latest updates on the Department of Defense CMMC Certification requirements, levels and timeline?
If your organization is part of the Defense Industrial Base (DIB) sector, most likely you are aware of the recent changes to the Department of Defense (DoD) requirements and timelines for federal contractors to comply with the Cyber Security Maturity Model Certification (CMMC) based on their desired maturity level.
While recent news that the DODs timeline to start becoming CMMC certified will be pushed back, even though this may be relieving for some, this is not the time to let off the gas to becoming CMMC compliant.
Now is a good time for organizations that need to be level 1 certified, to begin accessing their cybersecurity environment around the 17 required controls and get an understanding where any gaps may be around the storage of federal contract information (FCI) data.
Organizations that handle Controlled Unclassified Information (CUI), will need to be level 2 certified, which includes the 110 controls within the NIST 800-171 framework. A CMMC readiness review will allow your organizations environments to be accessed from an outside perspective and receive a list of identified gaps are, as well as detailed recommendations for how you can reach the level 2 maturity level in the future.
Companies that will be required to become level 3 certified, will need to follow the NIST 800-172 framework and will require a government led assessment.
CMMC Model 2.0 – Key Changes and Requirements
For those that are unfamiliar with the DoD’s CMMC requirement, in November 2021, the DoD announced a revamped effort to control supplier compliance within the DoD’s supply chain through CMMC model 2.0.
This announcement came at a time where there had previously been little to no cybersecurity regulation causing a loss of sensitive data and billions of dollars due to cyber-attacks on government infrastructure. The updated CMMC model will better protect the DIB from advanced cyber-attacks on its infrastructure by requiring contractors to implement better cybersecurity hygiene.
The CMMC 2.0 model revamped cybersecurity compliance through the implementation of cybersecurity controls that are designed to protect systems from attack as well as protect FCI and CUI. The CMMC 2.0 model classifies organizations on three levels of compliance that are dependent on the level of sensitive data that the supplier handles.
CMMC model 2.0 replaced the previous CMMC 1.0 model which included 5 levels of compliance and required a third-party to access for all maturity levels. The updated 2.0 model allows level 1 contractors to self-access, which provided smaller organizations cost benefits, greater flexibility, and more accountability.
CMMC 2.0 – Level 1 Considerations
Level 1 is the “foundational” level of CMMC compliance requires all contractors that have FCI in their contracts to implement a set of 17 basic cybersecurity practices that are required by the Federal Acquisition Regulation (FAR) 52.204-21. Organizations that fall under level one may perform an annual self-assessment of the FAR 52.204-21 controls and report there score to the Department of Defense.
CMMC 2.0 – Level 2 Considerations
Level 2 is the “advanced” level of CMMC that requires contractors that handle CUI to implement the National Institute of Standards and Technology (NIST) 800-171 framework which includes 110 practices from 14 CMMC domains. If a contractor handles sensitive CUI, the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires the contractor to be level 2 certified by having a CMMC Third Party Assessment Organization (C3PAO) perform an independent assessment to validate that the contractor has fully implemented the NIST 800-171 framework.
CMMC 2.0 – Level 3 Considerations
Level 3 is the “expert” level of CMMC maturity that is required for contractors that work with critical DoD infrastructure. Organizations seeking level 3 certification will be required to comply with the NIST 800-172 framework. Level 3 contractors are also required to be accessed by the DoD directly as opposed to an independent C3PAO. At this time, level 3 requirements are still being finalized by lawmakers.
CMMC 2.0 Timeline Considerations
These tiered requirements were originally required to begin in March 2023 however, the requirement has been delayed until 2024. All businesses should take advantage of becoming CMMC complaint early, as adopting the controls within the NIST framework will allow businesses to have an improved cybersecurity posture and reduce liability in the event of a cyber-attack.
Companies who continue to work with the DoD and bid on federal contracts, will be required to become CMMC certified depending on the level required by the DoD contract. Companies that do not complete the CMMC certification after 2025 will not be able to bid on DoD contracts.
The Value of a Mock CMMC Assessment
All businesses can benefit now by taking advantage of a CMMC mock assessment, which will allow an independent firm to access a business’s IT Infrastructure according to the NIST 800-171 requirements and provide recommendations for where they can improve existing controls and processes as well as implement new controls to get them to their desired CMMC maturity level.
Regardless, if your business will bid on federal contracts in the future, adopting the NIST 800-171 framework will allow businesses to achieve an improved cybersecurity posture as the NIST framework includes a wide variety of cybersecurity practices across 14 domains.
How Can Schneider Downs Help?
If you are a business that will need to be CMMC compliant in the future, or a business that wants to improve your cybersecurity posture, the Schneider Downs IT Risk Advisory team can help your business by performing a CMMC or NIST 800-171 mock assessment.
Our IT Risk Advisory practice helps ensure that your organization is risk-focused, promotes sound IT controls, ensures the timely resolution of audit deficiencies, and informs the board of directors of the effectiveness of risk management practices. We will partner with you to provide comprehensive IT audits and compliance reviews that will ensure your organization has effective and efficient technology controls that better align the technology function with their business and risk strategies.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.