CMMC 2.0 Standards for DoD

The Department of Defense (DoD) is prepared to roll out CMMC 2.0, a revamped version of the Cybersecurity Maturity Model Certification. As of May 2023, a phased implementation of the new version is in place, with the final deadline anticipated in October 2025. What does this mean for organizations wanting to do business with the DoD? Let's take a look. 

What is CMMC?

CMMC is designed to ensure all DoD contractors have sufficient security controls to protect sensitive information. Initially announced in mid-2019, version 1.0 of the standard was published in January 2020. CMMC's end goal is to significantly reduce the risk of adversaries penetrating the systems of defense contractors. 

As the old saying goes, CMMC 'stands on the shoulders of giants' by incorporating requirements from multiple pre-existing frameworks, including those published by NIST, ISO, and AIA. With the release of CMMC 2.0 announced in November 2021, the updated version follows NIST 800-171 more closely. CMMC 2.0 marks a significant milestone in the ongoing efforts to enhance cybersecurity across the defense industrial base. The DoD aims to foster a collaborative relationship with industry players by refining the certification process and easing the compliance burden. 

Who Needs to Comply with CMMC?

Anyone wanting to do business with the DoD must be certified under CMMC.

Subcontractors aren’t exempt — every organization throughout the supply chain needs some level of certification. The level of certification needed varies by organization type and the type of information held or transmitted. Although the final deadline to comply with CMMC 2.0 isn't until October 2025, some DoD contractors are beginning to require subcontractors to demonstrate compliance now.

The rule is simple: No certification, no contract.

Further, aspiring contractors are expected to get certified before applying for a contract. However, organizations will be able to reclaim part of the cost if successful in winning a contract.

There is one (and only one) exception to the need for certification. Companies that only sell commercial-off-the-shelf products (COTS) are exempt and will not need to achieve any level of CMMC certification.

What’s Included in CMMC?

CMMC is one of the most comprehensive compliance standards ever produced for cybersecurity. Based on industry best practice — and borrowing heavily from existing frameworks — the standard requires DoD contractors to establish and maintain controls across 43 cybersecurity capabilities:

ACCESS CONTROL (AC)

1. Establish system access requirements
2. Control internal system access
3. Control remote system access
4. Limit data access to authorized users and processes

ASSET MANAGEMENT (AM)

5. Identify and document assets
6. Manage asset inventory

AUDIT AND ACCOUNTABILITY (AU)

7. Define audit requirements
8. Perform auditing
9. Identify and protect audit information
10. Review and manage audit logs

AWARENESS TRAINING (AT)

11. Conduct security awareness activities
12. Conduct training

CONFIGURATION MANAGEMENT (CM)

13. Establish configuration baselines
14. Perform configuration and change management

IDENTIFICATION AND AUTHENTICATION (IA)

15. Grant access to authenticated entities

INCIDENT RESPONSE (IR)

16. Plan incident response
17. Detect and report events
18. Develop and implement a response to a declared incident
19. Perform post-incident reviews
20. Test incident response

MAINTENANCE (MA)

21. Manage maintenance

MEDIA PROTECTION (MP)

22. Identify and mark media
23. Protect and control media
24. Sanitize media
25. Protect media during transport

PERSONAL SECURITY (PS)

26. Screen personnel
27. Protect CUI during personnel actions

PHYSICAL PROTECTION (PE)

28. Limit physical access

RECOVERY (RE)

29. Manage back-ups
30. Manage information security continuity

RISK MANAGEMENT (RM)

31. Identify and evaluate risk
32. Manage risk
33. Manage supply chain risk

SECURITY ASSESSMENT (CA)

34. Develop and manage a system security plan
35. Define and manage controls
36. Perform code reviews

SITUATIONAL AWARENESS (SA)

37. Implement threat monitoring

SYSTEMS AND COMMUNICATIONS PROTECTION (SC)

38. Define security requirements for systems and communications
39. Control communications at system boundaries

SYSTEM AND INFORMATION INTEGRITY (SI)

40. Identify and manage information system flaws
41. Identify malicious content
42. Perform network and system monitoring
43. Implement advanced email protections

Similar to existing frameworks like the CIS Benchmarks, CMMC previously included five levels of certification. One of the primary changes in CMMC 2.0 is the elimination of levels two and four, effectively reducing the number of security tiers from five to three. In this case, Level 1 is the same as the previous Level 1, Level 2 becomes the previous Level 3, and Level 3 becomes the previous Level 5.

• Level 1: Performed - Requires the basic controls needed for essential cyber hygiene. This level of certification is needed by contractors that hold or process mildly sensitive content such as Federal Contract Information (FCI).

• Level 2: Managed - Managed Level 2 certification represents a moderate standard of cyber hygiene for an established organization and requires all 110 NIST controls with an additional 20 controls from various sources. This level will be a requirement for the majority of DoD contractors that hold or process CUI.

• Level 3: Optimizing - To be certified at level 3, contractors must have a fully mature cybersecurity function across all 43 capabilities.

Note that the requirements for many capabilities increase as you progress through the five levels of certification. At the lower levels, many capabilities (e.g., threat monitoring) aren’t required at all.

Prepare for CMMC with CimTrak

For many current and aspiring DoD contractors, CMMC represents a significant need to improve cybersecurity maturity.

With version 2.0 of the standard underway and all DoD contracts requiring certification, many organizations face the challenge of revamping their cybersecurity program in the upcoming year.

CimTrak is an IT integrity, security, and compliance tool that makes it easy for organizations to substantially improve cybersecurity maturity. CimTrak continuously monitors your environment and detects changes to assets, files, and accounts. When specified changes occur, CimTrak raises an alert and a report, making identifying security issues in hardware and software assets easy.

Crucially, CimTrak’s functionality maps directly to many of the control objectives of CMMC. 

• AC - Access Control

• AM - Asset Management

• AU - Audit and Accountability

• CM - Configuration Management

• IR -  Incident Response

• RE - Recovery

• RM  - Risk Management

• SA - Security Assessment

• SC - System & Communication Protection

• SI - System & Information Integrity 

To find out more about how CimTrak can help your organization align its security strategy and processes with CMMC, download the CMMC Solution Brief today.