The United States Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) Final Rule on October 15, 2024, in response to rising cybersecurity threats across the defense industrial base (DIB). This new framework, anticipated to go into operation on December 16, 2024, and attain widespread adoption from mid-2025, seeks to step up CMMC 2.0 compliance among DIBs.  

According to the DoD, the newly unveiled CMMC program will help the agency verify that all federal contractors implement the requisite cybersecurity safeguards for controlled unclassified information (CUI) and federal contract information (FCI).  

But what exactly are the implications of CMMC 2.0 compliance (or a lack thereof)?  

That question shall form the basis of this post. Read below as we navigate the latest DoD CMMC Final Rule updates and the significance of adhering to the protocols. 

Contextualizing DoD’s CMMC Final Rule 

Initially, cyber-attacks aimed at the Department of Defense predominantly targeted the agency’s inner administrative sanctum. But that was long before hackers discovered it was easier to breach the more unsuspecting DoD contractors spread throughout the defense industrial base.  

The past few years have witnessed widespread attacks targeting DoD vendors, including the September 7, 2017, Equifax data breach that resulted in the malicious exposure of over 140 million Americans. This incident highlighted the vulnerability of sensitive security information in third-party hands, with Equifax suffering a 14% share drop and massive reputational damage.  

A year later, the DoD reported yet another significant data breach through one of its travel management service providers. Up to 30,000 military personnel and thousands of civilians had their credit card and other personal data leaked.  

It’s in light of the growing cybersecurity threats that the Department of Defense designed the CMMC 2.0 Program. Under the new rule, DoD vendors handling CUI and FCI will undergo streamlined but more rigorous audits to certify their CMMC cybersecurity compliance.  

CUI and FCI refer to information the federal government doesn’t designate as classified but must be handled under certain controlled measures. The primary difference is that CUI demands higher protection levels than FCI.  

While the CMMC Final Rule doesn’t alter CUI and FCI definitions, it defines processes required to assess whether DoD vendors comply with the appropriate CMMC levels for both sets of sensitive information.  

Understanding the Latest Changes in CMMC 2.0

1. Introduction of 3 Levels

Earlier CMMC models had five maturity levels – performed, documented, managed, reviewed, and optimized. However, these were collapsed into three under the recently released Final Rule.  

The DoD eliminated Levels 2 and 4. However, it unaltered Level 1, retaining all 17 practice standards.  

The new DoD CMMC model also replaced the former Maturity Level 3 with a new Maturity Level 2 but without the delta 20 practices in the former Level 3. By removing the delta 20 practices, Level 2 in the new CMMC framework aligns more with NIST 800-171’s 110 protocols.  

Presently, Maturity Level 3 is being developed as a replacement for former Levels 4 and 5. Level 3 will be modeled based on a subset of NIST 800-172 protocols.  

Below are detailed requirements of the three distinct Maturity Levels under the new CMMC Rule; 

Level 1 (Foundational level) 

Level 1 mandates DIBs to implement 17 controls outlined in NIST 800-171 and complete annual self-assessments.  

Each annual assessment seeks to establish whether an organization’s existing internal security architectures provide sufficient safeguards against CUI leakage.  

A DoD contractor must meet 15 Level 1 conditions to receive the CMMC status of Final Level 1. Besides, the results must be published in the Supplier Performance Risk System (SPRS) for immediate access and scrutiny. 

Level 2 (Advanced) 

DoD contractors seeking Level 2 certification must comply with all 110 NIST 800-171 R2 controls.  

Unlike Level 1, which requires self-assessments, Level 2 mandates all prospective DoD vendors to get audited by authorized CMMC Third-Party Assessment Organizations (C3PAO). You can find an accredited CMMC Level 2 C3PAO right from the Cyber AB marketplace.  

Level 2 also requires certifications to be completed every three years, and results are fed into the Enterprise Mission Assurance Support Service (eMASS). eMASS is a state-owned web-based application that maintains a broad suite of security authorization capabilities. It’s strictly accessible by authorized users. 

Level 3 (Expert) 

Level 3 is unarguably the most comprehensive of the three CMMC certification levels.  

To pass Level 3 audits, a DIB must implement all 110 controls in NIST 800-171 in addition to 24 controls based on NIST 800-172, which are still under development.  

The extra 24 requirements pertain to CUI associated with high-value assets or critical security programs. Their compliance must be assessed by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC).

2. Introduction of POA&Ms 

A notable feature of the new CMMC model is the introduction of the Plan of Action and Milestones (POA&Ms). 

In the new arrangement, DIBs that partially meet CMMC’s certification requirements can begin executing their DoD contracts while taking the necessary steps to achieve full compliance.  

However, such vendors must commit in writing, detailing the methodologies and timeframes within which they undertake to satisfy the unmet conditions. 

3. Hybrid Assessments

As mentioned, CMMC’s Maturity Level 1 certification will now require self-assessments, while accreditations for subsequent levels will need evaluation by C3PAOs. This hybrid approach provides better safeguards against unauthorized CUI sharing by allowing independent organizations to authenticate self-assessment scores.  

It’s also expected that CMMC cybersecurity Level 3 certification will be awarded by federal officials, most likely the DIBCAC.  

Moreover, there are distinctions in terms of the evaluation process. In the previous framework, a C3PAO would need to submit a V1.02 assessment report to the CMMC AB, which conducts the final evaluation and issues certifications. That’s a glaring contrast from the new model, in which C3PAOs share audit reports directly with the DoD. 

Crush Course in Attaining CMMC Certification

1. Define Your CMMC Level

Organizations seeking compliance (OSCs) with the new CMMC rule must first understand the CMMC levels for which they wish to be certified.  

As mentioned, there are three distinct maturity levels, each with unique accreditation requirements. 

2. Perform a Gap Analysis

Gap analysis involves gauging your organization’s current cybersecurity architecture against those stipulated by the DoD CMMC framework to uncover potential areas for improvement.  

If the assessment identifies any gaps, you’ll need to seal those loopholes before proceeding further. 

3. Develop an SSP

A system security plan (SSP) is a critical document that details the cybersecurity controls and safeguards your company must implement in the quest for CMMC 2.0 compliance. Its core components include; 

• Introduction – Spells out the core objectives and scope of the SSP 
• System Overview – Defines the systems the SSP addresses, including but not limited to its unique purpose and functionalities 
• System Boundaries – Outlines the boundaries of the SSP framework and its relationship with external cybersecurity systems 
• Security Control Implementation – Details the security protocols to implement within the SSP system and how they align with the specific CMMC levels you’re seeking certification for 
• Control Objective Statements – States the objective statement describing the desired outcome for every security control 
• Control Implementation Status – Highlights the status of implementation for every security control, i.e., whether the tested controls have been fully implemented, partially implemented, or set aside for future implementation 
• Control Responsibility – Spells out the roles of personnel responsible for implementing and maintaining each control 
• Control Monitoring – Outlines the performance indicators for each implemented control 
• Incident Response and Reporting – Elaborates security incident response procedures 
• Continuous Monitoring – Defines the procedures for ongoing monitoring of your overall cybersecurity hygiene 

It’s important to note that no SSP is cast in stone. Regular updates are necessary to align the document with emerging cybersecurity threats and regulatory and policy changes. For instance, many organizations will now restructure their SSPs in the wake of the new DoD CMMC framework. 

4. Action Security Controls

Now that you understand the CMMC security protocols to implement in your organization, it’s time to action the controls.  

CMMC security controls can run the full gamut, from access control via mechanisms like user authentication to database protection, incident response, etc.  

Engaging an authorized C3PAO can make a significant difference in helping you understand the CMMC maturity process and adopt appropriate control mechanisms. Their unbiased assessments are particularly instrumental when scheduling CMMC Level 2 audits.

5. Establish A POA&M

The POA&M is one of the most striking features of the new CMMC rule. As already explained, it provides partially compliant OSCs the freedom to execute their DoD contracts as they seek to fulfill the unmet requirements.  

A POA&M document should be brief and concise. It details the actions you must take to achieve total compliance alongside responsible personnel and a clearly defined roadmap.  

To execute a robust POA&M for CMMC, prioritize the most severe vulnerabilities from your gap analysis report. Next, remediation for every weakness should be prescribed, strict timelines should be set, and responsible personnel should be assigned to implement the controls.  

To expedite the remediation process, break each weakness into distinct milestones and specify performance indicators to track the progress.  Remember to review your POA&M regularly and update or revise where required.  

The Bottom Line 

The DoD’s CMMC Final Rule has revolutionized how DIBs handle CUI and FCI information. The new framework streamlines the accreditation process for entities seeking CMMC certification and third-party assessor organizations.  

Instead of five levels, the latest CMMC iteration has three levels carefully condensed for easy interpretation. Besides, the introduction of the Plan of Action and Milestones allows conditionally compliant contractors to remain operational to attain full compliance.  

As a parting shot, note that the DoD’s cybersecurity protocols are constantly upgrading. So, it’s prudent to keep up with CMMC news to stay abreast of emerging regulatory and policy trends. More importantly, you can take a massive leap towards CMMC 2.0 compliance by liaising with an authorized C3PAO.