CMMC 2.0 framework offers up a more transparent pathway.
Just when we were all finally wrapping our brains around the Cybersecurity Maturity Model Certification (CMMC) mandate for the defense industrial base (DIB), they went and changed it on us—for the better!
In the early morning of November 4, 2021, “Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward” was published by accident. This newly published news sent the CMMC community into overdrive and, several hours later, Acquisition and Sustainment at the Office of the Undersecretary of Defense released new CMMC 2.0 content providing more detail.
CMMC 2.0 creates a more simplified and streamlined pathway to compliance.
According to the DoD, CMMC 2.0 is intended to make the cost of compliance more manageable for small businesses while also “increasing trust in the CMMC assessment ecosystem” and “clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards.”
- Fewer levels. CMMC 1.0 had five levels of compliance, but CMMC 2.0 has just three. Levels 2 and 4 have been eliminated and absorbed by the other levels. Level 2 is for organizations dealing with controlled unclassified information (CUI). Level 1 is for those with lower-level information, and Level 3 is reserved for higher-level CUI and critical programs.
- Simplified processes. They have removed “CMMC unique” processes from the mandate, presumably aligning CMMC with existing NIST 800-171 or CIS practices at Levels 1 and 2, though this part is not entirely clear yet. Level 3 will now comply with NIST-172 practices. This change allows companies to rely on tools that have been in use in the government for years, such as automated scanning, remediation, and continuous monitoring of controls.
- Self-assessments. The new rules allow for self-assessment at Level 1, saving small and mid-size businesses the costs of independent certification through the CMMC Accreditation Body. At Level 2, some may self-assess, while others require independent assessment, depending on the data you handle.
- POAMs and waivers. 2.0 provides additional flexibility to organizations by allowing a plan of actions and milestones (POAM) and a waiver process that can waive certification on a limited basis and in mission-critical instances.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” said Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
It is important to note that until the formal rulemaking is complete, there will be no contractual requirement for CMMC 2.0 until there is a better understanding of the strategic intent of the new publication. This process can take 9-24 months. In the meantime, forge ahead as if it has happened.
CMMC 2.0 eases the challenges of cost, effort and compliance overall.
CMMC 2.0 addresses some of the challenges the DIB has faced over maintaining compliance, primarily the costs and effort required. In addition to the changes listed above, CMMC 2.0:
- Cuts red tape for small and medium-sized businesses
- Sets priorities for protecting DoD information
- Reinforces cooperation between the DoD and industry in addressing evolving cyber threats
We are still awaiting clarity on how CMMC 2.0 aligns more with DoD hardening efforts to rely on NIST controls, Security Technical Implementation Guides (STIGs), and Center for Internet Security (CIS) benchmarks. Prior to the update, CMMC required specialized requirements. These initial requirements have now been removed, which puts CMMC compliance easily in the hands of automated hardening solutions that have been proven in the DoD for years.
By mirroring established government hardening requirements, the DIB doesn’t have to figure out what to do all on its own. Instead, their requirements align with established ones that rely on lower-level controls to create secure, resilient environments. However, they need to continuously monitor these controls and update them for a dynamic security posture. This requirement can also be automated.
STIG & CIS Automation simplifies your path to CMMC 2.0 compliance even further.
While CMMC 2.0 had less than the well-planned debut, it offers a better-planned pathway to compliance with lower costs, less red tape, and requirements that can be easily automated through the DoD’s most trusted STIG & CIS control automation tool, SteelCloud’s ConfigOS. Automation removes the time-consuming and resource-draining barriers to compliance. It allows you to self-heal your security configuration conflicts, documents your processes, continually maintain a secure environment, and free your people to do things people do well, such as develop policies and processes.
Better yet, you can bring everything into compliance in less than a day. (We’d tell the whole truth and say it can happen in an hour or two, but you wouldn’t believe us.) So while automation would have been an important tool for CMMC 1.0 compliance, the advent of CMMC 2.0 and its alignment with DoD controls and processes makes it absolutely essential.
As you adjust your strategy to meet your 2025 CMMC security compliance deadline, know that the pathway will be more transparent and simplified. We know CMMC 2.0 will profoundly reshape the vendor landscape and being awarded a contract means preparing now. SteelCloud is here to help with CMMC readiness by automating STIG & CIS policy compliance
Feel free to contact us if you have any questions as we move closer to CMMC compliance.
For more changes and frequent updates, visit https://www.acq.osd.mil/cmmc/index.html