Exploring CMMC 2.0 Levels: The Path to Cyber Resilience

In 2023, the world reached nearly 4.5 million USD in losses due to data breaches. Judging from the fact that this cost only continues to increase, keeping your information safe is pinnacle. Especially as a business owner. This goes for whether you run a large organization or a smaller one. Hence why the topic of cybersecurity is such a hot one right now.

As a business owner, I’m sure you are wondering what it takes to protect your sensitive information. If you are a contractor or subcontractor working with information pertinent to national security, there is a guideline you must follow. This program is the Cybersecurity Maturity Model Certification (CMMC).

Today we are going to explore the updated version of CMMC 2.0. Including its different levels, as well as new features and enhancements that help to fortify organizations' cybersecurity structure. Let’s get into it!

Table of Contents

What is CMMC

The Cybersecurity Maturity Model Certification helps to provide structure to protect information. It contains practices, standards, and processes that help keep this sensitive information safe. This greatly benefits organizations of all kinds, especially within the public sector. 

The U.S. The Department of Defense (DoD) created the CMMC framework. This was with the Defense Industrial Base (DIB) in mind. Because the contractors of the DIB are the target of more complex cyberattacks. These attacks also happen more frequently. To leave this branch unprotected means to leave national security information vulnerable. The U.S. government needed something in place to prevent any cybersecurity threats. As well as a way to respond.

This framework is essential when it comes to assessing and improving the security of contractors and businesses alike. By having this framework align with the DoD’s security requirements, controlled unclassified information (CUI) and federal contract information (FCI) stay secure. This is a huge step forward when it comes to security during communication between contractors and the Department. As well as keeping this sensitive information within acquisition programs and systems safe. 

In September 2020, the DoD published a new interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS) in the Federal Register. DFARS Case 2019-D041 implemented the initial version of the CMMC (CMMC 1.0). The features of this program include:

  • Tiered model.

  • Required assessments.

  • Implementation through contracts.

On November 30th, 2020, the DOD officially put this temporary rule into effect. This established a five-year phase-in period. Cybersecurity and acquisition leaders then took it upon themselves to sift through the implementation. They came across ways to refine these policies and better execute this program implementation. This updated program today is CMMC 2.0. The main goal of this program is to safeguard information of course. One of the many reasons cited is to protect the integrity of the Operation Warfighter (OWF).

Another specified goal is to enforce DIB cybersecurity standards. This helps to keep regulations up to date with the ever-evolving industry of cybercrime and the work of hackers across the world. Ensuring the compatibility and requirements related to DoB regulations as well as maintaining ethical standards is also a key factor in this program. Finally, the last primary goal we have to go over is the aim to perpetuate the unified culture of cyber resilience.

Let’s get into the details of CMMC 2.0 now, otherwise known as its levels. The program contains three levels, which replace the previous five-tier system:

  • Level 1 (Foundational).

  • Level 2 (Advanced).

  • Level 3 (Expert).

The sensitivity of the data your organization provides decides on what level of compliance you must meet. Today we will go into further detail of each level’s processes and assessment procedures.

CMMC 2.0 Level 1: Foundational

Level 1 is what you might expect it to be, more so consisting of the basic elements of cybersecurity. This includes annual self-assessments and annual affirmations. By doing this, businesses in the level 1 CMMC 2.0 category can reach certification.

Contractors perform these self-assessments against distinct and clearly stated cybersecurity standards. Note that it is not uncommon for organizations to practice this level in an “as needed” manner as opposed to relying on documentation. Businesses and contractors at this level focus on the protection of FCI.

While assessment processes usually pivot around the CMMC-AB’s Certified Third-Party Assessor Organization (C3PAOs), this isn’t necessary for maturity level 1 organizations. Instead, the basic safeguarding of level 1 must align with the requirements listed in 48 CFR 52.204-21. Anyone who deals with “information not intended for public release” must adhere to CMMC level 1 standards. Information provided by the Government under a contract, either to develop or deliver a product or service, will need this certification.

CMMC 2.0 Level 2: Advanced

Having organizations document their processes in hopes of better guiding security efforts is the pinnacle to achieving CMMC level 2 maturity. At this level, documentation must be present for employees to repeat the same processes. To perform these processes repeatedly leads to CMMC level 2 certification. This progression between levels 1 and 3 involves advanced cyber hygiene practices.

CMMC 2.0 is essentially equivalent to CMMC 1.02 level 3. NIST SP 800-171 sets the standard for CMMC 2.0 level 2, which includes all 14 domains as well as 110 security controls of CMMC 1.02. However, 20 level 3 practices and procedures which are unique to CMMC 1.02 are not included.

Level 2 assessment requirements depend on whether CUI data consists of critical or non-critical national security information. Any organization that handles this critical data must function under level 2 assessment requirements to be compliant. These organizations must pass a higher-level third-party assessment (C3PAOs). Every 3 years organizations must conduct these assessments, as opposed to non-prioritized acquisitions with non-critical data.

CMMC 2.0 Level 3: Expert

Using the level 3 CMMC model helps to reinforce your organization’s security structure. This level qualifies as good cyber hygiene practice as it focuses on protecting CUI. It reduces a system's vulnerabilities to advanced persistent threats (APTs). This is through contractors establishing, maintaining, and resourcing plans to manage important cybersecurity processes.

These plans might cover topics such as:

  • Goals.

  • Missions.

  • Projects.

  • Resourcing.

  • Training.

  • The involvement of stakeholders.

These plans also cover all of the security requirements listed in NIST SP 800-171. As well as the 20 other processes added for CMMC level 2. Requirements beyond NIST SP 800-171 include DFARS clause 252.204-7012, which helps to better report any security incidents. CMMC level 3 applies to contractors and companies that handle CUI.

Specifically for those DoD programs with the highest priority and security clearance. If you’d like to compare it to something, think of CMMC 1.02 level 5. Note that the requirements of level 3 are overall based on SP 800-171’s 110 controls, as well as a subset of NIST SP 800-172.

Key Changes in CMMC 2.0

Between the previous version of CMMC (CMMC 1.02) and today’s version, there have been some notable changes. These changes helped refine and build on the original program requirements. They are:

  • Streamlines the previous model from 5 levels to 3. Focuses on the most critical compliance requirements.

  • Utilizes the cybersecurity standards of the National Institute of Standards and Technology (NIST).

  • Enables companies at level 1 to achieve compliance certification through self-assessment. As well as certain subsets of level 2.

  • Holds third-party assessors more accountable for their professional and ethical standards.

  • Companies under specific circumstances can make Plans of Action & Milestones (POA&Ms) to achieve their certification.

  • Under certain limited situations, this program allows the Government to waive the inclusion of CMMC requirements.

Conclusion

With instances of cybersecurity attacks on the rise, as well as the resulting escalating financial losses, protecting information is vital. This is especially true for businesses as we discussed today. We went over the best defense on the market when it comes to the protection of information related to national security. CMMC 2.0 offers businesses and contractors of all kinds structured procedures, standards, and fortified processes.

This streamlined framework introduces 3 levels of compliance: foundational, advanced, and expert. Each level aligns with the sensitivity of the data a business handles. These requirements can change from basic to advanced cybersecurity practices to protect CUI. By utilizing CMMC 2.0, businesses such as yours can install sturdy cybersecurity structures. All while mitigating any vulnerabilities and being able to better handle and respond to security breaches.