Cybersecurity Maturity Model Certification (CMMC) v2.0
The wait is finally over for defense contractors and subcontractors!
CMMC v2.0 has been officially released. You no longer have to worry about complicated instructions and unnecessary, overly-burdensome requirements. The time to start your assessment is now to get ahead of your competition and beat the line. Check out the requirements schedule your free consultation with a CMMC certified expert today!
CMMC v2.0 Content Overview
The document includes:
- CMMC Model and Summary
- Appendix A: CMMC Model 2.0
- Appendix B: Process and Practice Descriptions
- Appendix C: Glossary
- Appendix D: Abbreviations and Acronyms
- Appendix E: Source Mapping
- Appendix F: References
Key features of CMMC 2.0
- Streamlined Model: Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels.
- Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards.
- Reliable Assessments: Reduced assessment costs: Allows all companies at Level 1, and a subset of companies at Level 2, to demonstrate compliance through self-assessments.
- Higher accountability: Increases oversight of professional and ethical standards of third-party assessors.
- Flexible Implementation: Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification.
- Added flexibility and speed: Allows the Government to waive inclusion of CMMC requirements under certain limited circumstances.
The framework of the CMMC 2.0 encompasses 14 Domains. Within those Domains are:
- Processes (spanning three levels)
- Capabilities (also spanning three levels), which also include Practices across the three levels
Important Terms
Federal Contract Information (FCI): Information provided by or provided to the US Government that is under contract but is not intended for public release.
Controlled Unclassified Information (CUI): Information that needs to be secured but isn't "classified."
Advanced Persistent Threats (APTs): Threats from highly sophisticated cyber adversaries.
CMMC 2.0 Maturity Levels (ML)
CMMC 2.0 Level 1 - Foundational
- Practice
- "Basic Cyber Hygiene"
- 17 Practices for basic safeguarding of FCI
- Annual self-assessment or self attestation
- Process
- "Performed"
- No actual processes
- Only addresses practices from the FAR Clause 52.204-21.
CMMC 2.0 Level 2 - Advanced
- Practice
- "Advanced Cyber Hygiene"
- All contractors handling CUI will be required to be CMMC 2.0 Level 2 certified.
- 110 Practices aligned with NIST SP 800-171 to protect CUI
- Triannual third-party assessments for critical national security information
- Processes
- "Documented"
- 2 processes
CMMC 2.0 Level 3 - Expert
- Practice
- "Expert Cyber Hygiene"
- 110+ Practices aligned with NIST SP 800-172 to protect CUI
- Triannual government led assessments
- Processes:
- "Managed"
- 1 process for safeguarding CUI
- "Optimizing"
- Focus on protecting CUI from APTs
- Includes all 110 security controls from NIST 800-171
CMMC References
The CMMC is the government's attempt at simplifying cybersecurity requirements for their defense industrial base (DIB) contractors; it is encompassing all of the following guidelines and requirements:
- FAR Clause 52.204-21 b.1.i
- NIST SP 800-171 Rev 1 3.1.1
- CIS Controls v7.1 1.4, 1.6, 5.1, 14.6, 15.10, 16.8, 16.9, 16.11
- NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4
- CERT RMM v1.2 TM:SG4:SP1
- NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17
- AU ACSC Essential Eight
Don't Lose Your Contract!
Here at Petronella Technology Group, we think of the CMMC as wonderful new guidance on cybersecurity for you and your business. Schedule a free consultation with a CMMC certified expert today to make sure you are on the right track to keeping all of your valuable government contracts or to gain a competitive advantage!
