CMMC 2.0 – An Introduction
CMMC 2.0 – An Introduction
This may not come as a surprise, but the defense industry is big business. It can also be top secret business, depending on your contractual obligations. CMMC 2.0 (the second iteration of the Cybersecurity Maturity Model Certification) helps to streamline and clarify the cybersecurity requirements for companies contracting with the Department of Defense (DoD).
For some prime contractors, dealing with the DoD can mean dealing with highly classified information. Many prime contractors, however, and most of their subcontractors and sub-subcontractors will likely find themselves in possession of less classified, but still protected, sensitive information. That’s why the DoD introduced CMMC in 2019 – to help private industry contractors figure out how to properly protect the government data in their care.
A Brief History of CMMC
Until 2019, the rules and regulations governing DoD contracts and cybersecurity weren’t exactly always crystal clear (to put it nicely). To be fair, it’s not like U.S. tax codes are always crystal clear, either. But when it comes to data security, the government and the defense industrial base (DIB) both have a vested interest in creating clear guidelines on how to keep data safe.
The DoD was concerned with the ways that information was littered throughout the supply chain. It was all too common for information to be emailed around willy nilly or bandied about in spreadsheets that weren’t properly encrypted. On the other side of things, the DIB was concerned with the confusing and often outdated rules about how they were supposed to handle information. Enter: CMMC 1.0.
CMMC 1.0 was a cybersecurity maturity model that sought to clarify the security controls that private industry contractors should have in place for working with the federal government. Importantly, the DoD set out with the intention of developing CMMC over time – working with the DIB to find guidelines that were actually practical for the industry. To draft CMMC 1.0, the DoD pulled together a number of existing security frameworks and best practices and mapped them onto a five-level model – that lasted about two years.
In fall of 2021, the DoD introduced CMMC 2.0 – a three-level model designed to consolidate some of the guidance and align more clearly with existing frameworks (e.g. NIST SP 800-171).
What CMMC 2.0 Does
Fundamentally, the CMMC framework helps to protect sensitive information. While the highest level of CMMC 2.0 compliance (Level 3 – Advanced) protects classified information, the lower levels protect unclassified information. Why would unclassified information need to be protected, you ask? Because even if it’s not top secret, government information still isn’t something the DoD wants rolling around on the internet.
However, once you get into the world of unclassified information – Controlled Unclassified Information (CUI) to be precise – it can be a bit nebulous as to what actually earns that title. And if your organization is dealing with CUI, that means you have to meet CMMC 2.0 Level 2 – Advanced. If, on the other hand, you’re only dealing with government contract information (or Export Controlled Information – ECI), you may just have to meet the requirements of CMMC 2.0 Level 1 – Foundation. Or, maybe not. Like we said, it’s still not always crystal clear.
Why CMMC 2.0 Matters
Obviously, protecting DoD and federal data matters. But CMMC 2.0, specifically, is useful in the way that it has simplified the requirement levels. Where once there were five levels, there are now three, making it somewhat easier to figure out where your organization needs to land. Probably.
The big change in CMMC 2.0 is that the upper two levels now align with existing NIST standards – SP 800-171 and 800-172, respectively. For anyone who doesn’t immediately recognize these governmental special publications, they outline cybersecurity practices that have become something of a data security gold standard over the years. Not every organization is required to meet these standards. Those that do tend to be more protected from data breaches, ransomware, spyware, malware and general digital villainy than those who don’t.
If you know your organization is already meeting NIST standards, great! You’re in excellent shape. But whether you’re meeting them or not, you should still consult an expert if you want to figure out where you need to be with CMMC 2.0. Even with the improvements in the framework, it can still be somewhat nebulous how rigorous your security measures need to be. And it doesn’t make sense to be maintaining a level of security that you don’t actually need. Nobody wants to pay for (or live through) an audit if they don’t actually have to.
Talk to an Expert
While good cyber hygiene is important for every organization, it generally doesn’t make sense to go all in all the time. It’s better to find the security practices that are both effective and economically sensible given the needs of your organization. Working with a certified RPO will help ensure you don’t waste time, money and resources on a level of security that you don’t actually need.
Still wondering what CMMC 2.0 might mean for your organization? Download our white paper – Cybersecurity Maturity: Understanding the Basics of CMMC – or reach out to one of our experts today!