At StartProto, we understand the ever-evolving cybersecurity landscape and the critical role the Defense Industrial Base (DIB) plays in safeguarding our nation. That's why we're excited to dive into the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, a collaborative effort between the Department of Defense (DoD) and industry partners like you.

‍Why CMMC?

Let's face it, cyber threats are a growing concern. Malicious actors are constantly seeking ways to exploit vulnerabilities and steal sensitive information. The CMMC program is here to address this head-on. By verifying that contractors have implemented essential security controls, CMMC strengthens the overall cybersecurity posture of the DIB, ultimately protecting classified information and empowering a more secure nation.

The Context of CMMC

The CMMC program was created by the Department of Defense (DoD) in response to concerns about the cybersecurity of its contractors' information systems. Malicious actors increasingly target defense contractors, attempting to steal or exploit sensitive information. The CMMC program aims to improve cybersecurity by verifying that contractors have implemented the necessary security measures.

The Structure of the CMMC Program

What's New in CMMC 2.0?

CMMC 2.0 is the latest version of CMMC (released in November 2021) that is still going through the rulemaking process. The newest model (2.0) replaces the self-attestation model with a verification approach, ensuring a more robust assessment of cybersecurity practices. Here's a breakdown of the key features:

• Three Tiers Tailored to Needs: CMMC 2.0 offers three levels – Basic, Intermediate, and Advanced – catering to the specific needs of different programs. This targeted approach ensures that security measures align with the level of sensitivity of the information being handled. There is more information on these levels below.
• Leveraging Existing Standards: The program relies on well-established National Institute of Standards and Technology (NIST) Special Publications (SP) as a foundation for security controls. This reduces complexity and leverages existing industry knowledge.
• Flexibility for Success: CMMC 2.0 understands that achieving optimal security is a journey. The program allows for Plans of Action and Milestones (POAMs) to address identified gaps within a defined timeframe. Additionally, there's room for waivers on specific DoD requirements in certain situations.

The CMMC program replaces the previous self-attestation (verifying yourself) model for cybersecurity with a verification (3rd party verification)approach. The DoD will rely on accredited independent organizations, called CMMC Third-Party Assessment Organizations (C3PAOs), to assess contractors' cybersecurity posture.

The CMMC program has three tiers:

• Level 1 (Basic): Requires contractors to implement 15 basic security controls mandated by the Federal Acquisition Regulation (FAR).
• Level 2 (Intermediate): Requires contractors to implement 110 security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST SP 800-171). This level aligns with the existing DFARS 7012 clause requiring the implementation of NIST SP 800-171.
• Level 3 (Advanced): Applies to a select group of DoD programs that handle highly sensitive information. Level 3 builds upon Level 2 by adding 24 additional security controls derived from NIST SP 800-172.

Implementation and Public Comment

The DoD is planning a phased implementation of the CMMC program, with the objective of achieving full compliance by fiscal year 2025. The proposed CMMC rule outlining the program details is currently open for public comment until February 26, 2024. Public input is crucial for the DoD to refine the program and address industry concerns. The DoD emphasizes the importance of collaboration and encourages contractors to actively participate by submitting comments on the proposed CMMC rule. By working together, the DoD and defense contractors can improve cybersecurity and safeguard sensitive information.

We're here to support you every step of the way. Stay tuned for future blog posts where we'll delve deeper into CMMC compliance strategies and resources available to help you prepare for a successful assessment.  Together, let's build a stronger, more secure defense industrial base!

For the latest news and information, check out https://dodcio.defense.gov/CMMC/

‍