All U.S. Department of Defense (DoD) contractors, third-party suppliers, and those identified as part of the Defense Industrial Base (DIB) will soon be required to implement and comply with Cybersecurity Maturity Model Certification (CMMC).
CMMC is the manifestation of DoD efforts to establish a standard cybersecurity framework for cyber protection and supply chain cyber resilience. The second iteration of CMMC, Version 2.0, refines and reinforces DoD efforts to safeguard sensitive, but not classified, information. The CMMC framework represents standardized and proactive cybersecurity best practices and as such has emerged as a model for organizations requiring a credible cyber defense framework for protecting sensitive information.
The CMMC 2.0 framework features updated security requirements to provide additional protection of critical defense supply chains and prevent compromise of sensitive DoD information. CMMC 2.0 also includes key updates to enhance accountability, provide more robust DIB cybersecurity, simplify the certification process, and minimize barriers to DoD compliance.
CMMC 2.0 simplifies certification implementation by reducing the size of the model from five certification levels to three. Each of the three levels reflects the sensitivity of the material handled and ability of the organization’s cybersecurity infrastructure to safeguard sensitive information. CMMC 2.0 framework levels include:
- Level 1: Foundational Cyber Hygiene includes 15 requirements and requires implementation of fundamental cybersecurity practices, such as password management and utilization of patches to keep systems updated. Level 1 dictates annual self-assessment and annual affirmation. It is defined primarily for small businesses handling the least sensitive, non-critical information, the compromise of which causes little damage.
- Level 2: Advanced Cyber Hygiene builds on Level 1 but includes 110 requirements based on NIST SP 800-171. Requirements focus on access control, incident response, risk management, physical security, and system integrity. Level 2 requires triennial third party assessment and annual affirmation, depending on the program. It targets organizations handling information determined to be critical for national defense impacting organizations including those providing critical infrastructure, such as energy, communications, and transportation.
- Level 3: Expert Cyber Hygiene requires the most comprehensive and sophisticated security practices, with additional emphasis on information protection, detection, and response. The 110 plus requirements of Level 3 are based on both NIST SP 800-171 and 800-172. Triennial government-led assessments and annual affirmation are required. Level 3 is intended for organizations handling the most critical, non-classified DoD information.
CMMC 2.0 assessment requirements are based on the sensitivity of the information shared with the organization. Organizations handling information considered non-critical to national security are classified as Level 1. Organizations handling critical national security information are categorized as Level 2, while organizations handling non-classified information viewed most critical to national defense are categorized as Level 3.
CMMC 2.0 Level 1 and portions of Level 2 allow organizations to self-assess and provide annual affirmation. In most cases, Level 2 organizations must participate in a third-party certification process. The third-party assessment is conducted by CMMC Accreditation Body accredited CMMC Third Party Assessment Organizations (C3PAOs). As envisioned, CMMC 2.0 Level 3 assessments will be conducted by “government officials”.
CMMC represents the cybersecurity cornerstone of the DoD critical contractor information and supply chain activities, but the standard and broader ecosystem remains a work in progress. CMMC Assessors and Instructors Certification Organization estimates CMMC 2.0 will be available in late 2025 or early 2026. For the more than 300,000 government contractors and numerous supporting companies the lack of a final framework presents both bureaucratic and cybersecurity challenges. That said, industry and government stakeholders can prepare themselves for the eventual CMMC assessment and certification process changes by participating in early adopter programs, self-assessments, and various types of CMMC professional training.
Cybersecurity requirements will vary with specific terms of each government contract, while CMMC standards are being finalized. CMMC compliance, though, will eventually be mandatory for organizations handling critical DoD information. As a baseline, DIB organizations should begin adopting the proposed CMMC requirements. In view of the cyber risk environment and considering CMMC provides a comprehensive cybersecurity framework, organizations not currently identified as part of the DIB should also consider implementing CMMC.
As cyberattacks become an almost daily occurrence, more organizations are demanding that third-party vendors and suppliers implement heightened levels of security. CMMC certification sends a strong message to potential clients that an organization takes cybersecurity seriously and has allocated the required resources to protect sensitive information. Further, those resources are based on standards and processes endorsed by the DoD. Certification will also make it much more straight-forward to comply with any new measures that will eventually emerge from future CMMC updates.
Michael Spector is the President at BCR Cyber where he leads the company’s growth and expansion strategy. Established in 2017, BCR Cyber (formerly Baltimore Cyber Range) is dedicated to delivering exceptional training solutions to both government and commercial clients. BCR Cyber has trained thousands of individuals and successfully placed over 83 percent into employment. The BCR Cyber Range is the first such facility in the world specifically dedicated to workforce development in the cybersecurity sector. For more information, visit www.bcrcyber.com.