Who Needs to Comply with CMMC 2.0?
Cyber risks are increasing by the day, and the only thing you can do is to strengthen your IT security. Especially if you work (or plan to work) with the Department of Defense (DoD) as a defense contractor, you need to level up your cybersecurity efforts.
One way to do that is by ensuring compliance with the updated Cybersecurity Maturity Model Certification or CMMC 2.0.
What is CMMC 2.0?
CMMC is a United States DoD program that applies to defense contractors or those who provide products or services to US Defense Industry. The certification aims to unify the standard among DoD contractors and ensure they adequately protect sensitive information.
It’s a pay-to-play type of certification where a business needs to attest to its level of security and compliance before it can do anything.
Recently, the DoD upgraded the original CMMC certification to streamline the model, reduce costs for contractors, require higher accountability, and align cybersecurity requirements with new federal requirements. These fundamental changes will be implemented under clause 252.204-7021.
We sat down with Edward Griffin, one of ITS’ partners for Security, to further discuss what businesses need to know about CMMC 2.0.
Here at Intelligent Technical Solutions (ITS), we help hundreds of clients and prospects stay on top of the newest cybersecurity trends and industry standards. In this article, we’ll go over:
- What are the levels of CMMC 2.0? (& Who needs it?)
- What are the consequences of not adhering to CMMC 2.0?
By the end of this article, you should know which level of CMMC 2.0 you need to prepare for so you can position yourself as a trustworthy organization.
What are the levels of CMMC 2.0?
And what level of CMMC does your business need?
The updated CMMC program structure narrows down the number of levels from five to three by eliminating transition levels 2 and 4. The aim is to simplify the program both for the contractors and the DoD and focus more on the things vital to National Defense.
Here are the three levels of CMMC 2.0:
1. Level 1 (Foundational)
This level is the same as the original Level 1 and only applies to companies that focus on Federal Contract Information (FCI) protection. It follows the most basic cybersecurity practices based on the 17 controls found in FAR 52.204-21 or the Basic Safeguarding of Covered Contractor Information.
These controls protect covered contractor information systems and limit access to authorized users.
2. Level 2 (Advanced)
Compliance with Level 2 is applicable to companies working with Controlled Unclassified Information (CUI). It is comparable to the old CMMC Level 3, with requirements that mirror NIST SP 800-171.
This eliminates all practices and maturity processes unique to CMMC 1.0 and aligns with the 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI.
3. Level 3 (Expert)
The highest level of the CMMC 2.0 Model focuses on reducing the risk from Advanced Persistent Threats (APTs). And businesses that handle more extensive and sensitive data will need to comply with a higher level of CMMC. That is why level 3 is designed for companies working with CUI on DoD’s highest priority programs and can be compared to the old CMMC Level 5.
What are the consequences of not adhering to CMMC 2.0?
All frameworks, standards, and regulations are built around the inherent distrust of an organization to do the right thing regarding security and compliance. However, CMMC is more rigid and formalized than other regulatory compliance and carries severe consequences.
“Other certifications do not have any sort of enforcement body,” Griffin says. “So, if an organization is not compliant, no assessors will castigate them asking them to shut down.”
With CMMC, it’s much more governed.
Griffin said it’s because it would be hard to trust business owners always to do the right thing about security. “When it comes down to an economic decision or even from a productivity or efficiency perspective, left to their owner, the majority of businesses will ignore security and compliance and just go for whatever will generate more revenue,” Griffin adds.
Of course, that would be a huge generalization, but it's mostly true when you look at the current state of cybersecurity.
Left to their own tools and devices, organizations will tend not to spend their limited capital on security items. Instead, they'll spend it on elements that directly benefit revenue generation.
And that would be threatening to the DoD since you’ll be given access to certain privileged information of the US Government. Hence, stricter compliance is expected before you can do business with any DoD sub-agencies.
So, although there are no fines associated with CMMC non-compliance, not getting CMMC certified already blocks you out of the DoD supply chain. This means that you are not and will never be allowed to work directly with DoD sub-agencies.
Moreover, non-compliance puts you in a bad light and puts your organization and your client’s data at risk.
Need help getting CMMC 2.0 certified?
Achieving CMMC certification takes too much time and resources since it is as complex as it is necessary. And that may take a toll on your small to medium-sized business. That is why the help of a reliable and expert service provider might be more beneficial in the long run.
As a Managed IT Service Provider (MSP), ITS has the necessary tools and assets to help assess and create a security and remediation plan to prepare you for compliance. This process includes running a gap analysis to see what you already have in place and what you don’t–and then filling the gaps to get to a certain level.
In addition, ITS also helps monitor the process, resolves issues, and provides detailed reporting to keep you in the loop. Here are other IT compliance standards ITS can help you with: