What You Need to Know About CMMC 2.0 Compliance

What is CMMC 2.0?

CMMC 2.0 refers to the latest version of the Cybersecurity Maturity Model Certification (CMMC) framework, which is a cybersecurity standard developed by the United States Department of Defense (DoD).

CMMC 2.0 is an update to the original CMMC version 1.0 which was released in 2020. CMMC 2.0 builds on the earlier version and includes several enhancements and improvements.

CMMC 2.0 is expected to become the official standard for cybersecurity certification in the DoD supply chain in the near future, and all organizations that work with the DoD will need to comply with its requirements.

What level of CMMC 2.0 certification do you need?

The level of CMMC certification required depends on the type and sensitivity of government information that an organization handles. Here is a summary of the certification levels:

Level 1 (Foundational): This level requires 17 practices for an annual self-assessment, and is intended for organizations that handle Federal Contract Information (FCI) only.

Level 2 (Advanced): Organizations that handle Controlled Unclassified Information (CUI) will need to obtain Level 2 certification. This level includes 110 practices aligned with NIST SP 800-171 and may require third-party assessments for prioritized acquisitions. Self-assessments may be allowed for certain programs, such as non-prioritized acquisitions. About 80,000 organizations are expected to require this level of certification.

Level 3 (Expert): The highest priority programs that handle CUI will require Level 3 certification. This level includes 110 practices based on NIST SP 800-172 and requires triennial assessments by the government. Although only about 400-500 organizations are expected to need this level of certification, it's possible that more organizations will be required to meet Level 3 requirements in the future.

The timeline for CMMC 2.0 compliance

Initially, the government estimated that the finalization of CMMC 2.0 rulemaking would take up to 24 months. As CMMC 1.0 had a phased approach targeting full requirement implementation in RFPs and RFIs by 2025, many organizations believed they had until then to become compliant.

However, in May 2022, the DoD indicated that the final rules could be completed by March 2023. As a result, contractors may see CMMC requirements in RFIs as early as May 2023. Unlike CMMC 1.0, where certification was not required at bid, with CMMC 2.0, organizations will have to be certified at the appropriate contract level with package submissions.

This means that the timeframe for many organizations to become CMMC compliant is now much shorter than previously thought. If an organization intends to bid on or renew contracts in early 2023, it is crucial to get certified at the appropriate CMMC level required for those contracts. Thus, organizations need to consider the contracts they plan to pursue and take into account the time they will need to complete the certification before bidding.

Budget planning for CMMC 2.0

In discussing the total cost of ownership for CMMC certification, it's important to consider not just the expense of purchasing applications or hiring consultants, but also the internal resources required to complete the process. The greater the number of employee hours invested, the higher the overall cost is likely to be.

Initially, the government estimated that the cost of achieving CMMC 1.0 Level 3 certification, which is now equivalent to CMMC 2.0 Level 2 certification, would be approximately $51,000. Contractors could then adjust their operating costs and overhead to accommodate this expense, which could be included in the proposal submitted to the government. However, these estimates may be lower than the actual cost. Currently, only one C3PAO has published rates for a Level 2 assessment, which are already over $60,000.

Recommendations for CMMC 2.0 compliance

While CMMC 2.0 is often discussed as a way to effectively reduce cyber risk, ultimately its purpose is to minimize the risk of breach of contract. Failure to meet DFARS and CMMC requirements set by the government can lead to a breach of contract, and this is what CMMC 2.0 aims to prevent.

Given below are the recommendations to ensure CMMC 2.0 compliance.

1. Ensure you have uploaded your SPRS score to the government database. Remember, you should only submit your SPRS after completing your SSP. However, be honest and accurate when submitting your SPRS score. If you're a small or medium-sized contractor, it's better to show a lower initial SPRS score that improves over time, rather than overstate your score and risk an independent government audit.
2. If you're self-attesting to CMMC 2.0 Level 1, fully understand your organization's commitments. The business owner signing documents will be legally bound to document accuracy. Willful misrepresentation could be used against you by the new Civil Fraud division.
3. Even if a C3PAO certifies you at CMMC 2.0 Level 2, ensure your organization is resilient enough to withstand an attack and prevent a claim against performance and schedule deficiencies. A C3PAO only looks at the goals and objectives defined by DoD under NIST 800-171, which is not a silver bullet. Be aware of all the obligations to which you may be exposed, including data breach notification requirements in the states you operate in. Non-compliance with these requirements can result in financial penalties that could impact your organization's ability to perform at the same level of fidelity to the government.

Taking a preliminary self-assessment

Consider conducting a preliminary self-assessment of your CMMC readiness if your organization is already on the journey. This can provide valuable information to ensure all requirements are met when you're ready to either self-attest or go for certification.

You can contact a C3PAO to conduct a self-assessment, but keep in mind they can only confirm if controls are met or not. If you require consultative guidance, including an explanation of why certain standards were not met and suggestions for closing those gaps, working with a CMMC Registered Provider Organization (RPO) may be more beneficial.

Your next step in preparing for CMMC 2.0

If your organization is still using traditional tools to manage your CMMC framework implementation, you should be prepared to pay a high price. Not only will it be a slow and burdensome process, but you'll also have to work with disparate systems and data that don't communicate with each other, increasing the chance of errors.

This should be of concern, particularly given the U.S. Department of Justice's Civil Cyber-Fraud Initiative, which allows the government to pursue contractors and grant recipients who make false claims about their cybersecurity practices.

Fortunately, there is a faster, more efficient, and more accurate way to plan for, implement, and manage your CMMC 2.0 framework. 6clicks simplifies assessments and guides you through questions for each control objective, allowing you to measure your control performance and instantly identify any gaps in your CMMC 2.0 requirements.

6clicks helps to accurately determine your SPRS score, which you can submit to the government with a higher level of confidence in its accuracy.

The 6clicks dashboard makes it easy to provide information on CMMC performance to your C-suite and key stakeholders. The data storytelling feature of LiveDocs lets you provide information in a language everyone understands and connects with organizational goals and objectives.

To know more, take a demo tour of the 6clicks platform and see how we bring automation and AI to simplify compliance for a strong Information Security Management System (ISMS).