Achieving CMMC 2.0 Compliance as a DoD Contractor

If your manufacturing business deals with government contractors, you're probably familiar with the Cybersecurity Maturity Model Certification (CMMC). In case you're not, here's a brief explanation: CMMC refers to the prescribed standards that manufacturers and companies in the Defense Industrial Base must comply with, as mandated by the government and the Department of Defense. The aim is to guarantee that satisfactory cybersecurity measures are in effect for safeguarding contract information shared by the government.

While CMMC pertains to the security of your information, it's important to recognize that CMMC is more than just an IT problem. It impacts every member of the organization.

The government aims to ensure that the supply chain companies it collaborates with are safeguarding their information. CMMC is specifically intended to ensure that manufacturers and companies adhere to and certify a particular level of cybersecurity maturity and hygiene.

Understanding CMMC 2.0

CMMC 2.0 represents a departure from the original CMMC standard in terms of requirements. The government recognized that satisfying CMMC standards for many small businesses would be difficult. As a result, CMMC 2.0 is an effort to simplify and reduce the overhead for smaller organizations.

Instead of stressing out over comprehending and meeting CMMC requirements, let's examine what CMMC 2.0 entails and what it means for you.

Although the DOD is still deliberating, and no definitive decisions have been made yet, earlier statements suggest that you may be able to self-attest. However, you'll need a high-level executive within your organization to affirm that you meet the requirements. This accountability element was missing in NIST 800-171.

In CMMC 1.0, there were five levels of compliance that a company could achieve. However, in CMMC 2.0, there are three levels – Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).

CMMC 2.0 Level 2 is intended for contractors who manage controlled unclassified information (CUI) and currently consists of 110 requirements. By comparison, CMMC Level 1 has fewer than 20 requirements, which we anticipate will encourage organizations to obtain a Level 2 certification or higher.

Adapting to CMMC 2.0

If you directly supply the DoD or subcontract with someone who does, CMMC regulations apply to you. Here are some steps you can take to prepare your business:

1. Understand the standard requirements: CMMC imposes a higher level of accountability and checks/balances. It's crucial to comprehend the requirements and clauses to avoid making false claims.
2. Enlist a guide to help: CMMC 2.0 can be challenging to tackle alone. We recommend seeking the guidance of an experienced consultant to assist you in understanding the requirements.
3. Manage your supply chain: If you work indirectly with the DOD or with subcontractors who do, ensure that you manage your supply chain both up and down to mitigate risks and potential liabilities.
4. Identify the owner of your CMMC 2.0 journey: Ensure that you have a dedicated person who understands the requirements and the level you must attain. This individual should also assist you in maintaining your certification.
5. Create a roadmap: Establish a starting point, define your end goal, and create a roadmap to guide you from point A to point B.

The Level 2 requirements of CMMC 2.0 are in line with NIST SP 800-171, which outlines the necessary steps for safeguarding CUI. To demonstrate compliance, Level 2 contractors will typically need to pass a third-party audit once every three years, in addition to annually demonstrating their compliance.

Manufacturers must be able to accomplish three key tasks to pass an auditor’s evaluation:

• Declare that they comply with each requirement;
• Provide supporting evidence such as policy documents and logs;
• Demonstrate the effectiveness of their compliance mechanisms.

For example, to meet the requirement for multifactor authentication, contractors would need to prove that all employees with CUI access use this form of authentication. This would require having policy documents, audit logs, and, in some cases, demonstrating the authentication process's effectiveness.

When to start preparing for CMMC 2.0 assessment?

Manufacturers are advised to begin by determining their current level of cybersecurity maturity. There are various tools available for self-assessment, but it's important to keep in mind that self-assessments are more complex than they may appear and require more time than expected.

Attention to detail is necessary for self-assessment. For example, it's not sufficient to simply state that employees receive cybersecurity training to meet a requirement. Companies must provide detailed information about the types and frequency of training, such as password management, protection of sensitive information, and preventing tailgating.

If training is not up to par, companies can develop a roadmap or plan of action and milestones (POA&M), a new feature in CMMC 2.0, to demonstrate that they are working toward compliance instead of having achieved it.

There may be some areas of CMMC 2.0, such as training, where action plans are allowed. Starting early will also give manufacturers the necessary time to build the cross-functional teams required for a strong cybersecurity plan.

How to prepare for CMMC 2.0 assessment?

To prepare for the assessment, you can start by creating a checklist of each requirement and assign a staff member the responsibility for each item in the checklist. Having identified subject matter experts on compliance activities increases the likelihood of audit success.

The speculation about the delays in CMMC 2.0 rollout and implementation mandate might make organizations wait on preparing for the assessment until more clarity is received. However, defence officials warn against waiting to start cybersecurity readiness and CMMC compliance, as the NIST 800-171 requirements have been around for a long time.

Contractors shouldn't delay in preparing for CMMC 2.0 Level 2 compliance, as full adoption should have started long ago. In March 2023, manufacturers will learn if CMMC interim rule has been granted, allowing its inclusion in contracts 60 days later. If not, CMMC won't be in contract until May 2024.

Final thoughts

The guidelines for CMMC compliance outline structured practices and procedures that can help any manufacturing company improve its security environment. These standards emphasize that achieving heightened security involves more than just network technology, and requires the implementation of practices and procedures to be followed by personnel.

To streamline compliance to CMMC 2.0, assistance with creating the documentation, assessments, monitoring compliance requirements, etc., the 6clicks platform is a one-stop solution. To know how 6clicks combines automation and AI to empower organizations to improve their ISMS, take a tour of the platform and get started with 6clicks.