Essential Guide to CMMC 2.0 Compliance Requirements

Given the complexity of the Cybersecurity Maturity Model Certification (CMMC) framework, it is essential for government contractors and subcontractors to have a comprehensive CMMC compliance checklist to ensure they meet all the requirements.

The CMMC certification process is arduous but our CMMC 2.0 compliance roadmap can help.

This blog post explores the CMMC compliance requirements for the CMMC 2.0 framework, provides a comprehensive CMMC Compliance checklist, and offers Department of Defense (DoD) contractors practical insights into how they can achieve CMMC compliance.

What Is CMMC Compliance?

CMMC is a cybersecurity framework regulating manufacturing contractors serving in the Defense Industrial Base (Defense Industrial Base), an extensive list of DoD supply chain partners. Any contractor or subcontractor that processes, sends, shares, or receives controlled unclassified information (CUI) or federal contract information (FCI) must demonstrate compliance with CMMC.

The goal of the CMMC framework is to take disparate requirements and standards, coupled with several models for self-assessment and attestation, and streamline them into reliable, rigorous, and robust security practices that any business can align with.

The components of CMMC that set it apart from other federal government regulations, like the International Traffic in Arms Regulations (ITAR), the Federal Information Security Management Act (FISMA), or the Federal Risk and Authorization Management Program (FedRAMP), include:

• Controlled Unclassified Information (CUI) and Federal Contract Information (FCI): CMMC covers the storage, processing, transmission, and destruction of CUI explicitly. CUI is a unique form of data that hasn’t been designated under Secret classification but requires special protections to preserve national security. Examples of CUI may include financial information related to government contracts, personally identifiable or protected health information (PII/PHI) of government employees, or sensitive technical data related to defense systems.

  FCI is another lesser form of information related to the contractual relationships between contractors and agencies. CMMC is built to handle both cases.

• NIST Standards: CMMC, like other federal cybersecurity frameworks, draws from standards created and maintained by the National Institute of Standards and Technology (NIST). Specifically, CMMC relies on NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

  Additionally, Level 3 of CMMC compliance will draw from NIST SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.”

• Maturity Levels: To help defense contractors and agencies align on the required security needed to enter into working relationships, CMMC divides compliance into three maturity levels based on the contractor’s implementation of NIST SP 800-171 (and potential SP 800-172) controls.
• Third-party Assessments: Like FedRAMP, CMMC relies on third-party assessments performed by Certified Third Party Assessor Organizations (C3PAOs) like the ones listed here.

CMMC 2.0 Requirements

The transition from CMMC 1.0 to CMMC 2.0 reflected a streamlining and refinement of the framework and CMMC requirements to make CMMC compliance more efficient and practical for defense contractors in the defense industrial base (DIB). CMMC requirement changes include:

1. Fewer CMMC Maturity Levels

CMMC 1.0 featured five levels, ranging from basic cyber hygiene (Level 1) to advanced/progressive (Level 5). By contrast, CMMC 2.0 requires defense contractors to now meet one of only three maturity levels: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).

2. Alignment with NIST Standards

CMMC 2.0 places a stronger emphasis on aligning certification requirements with existing NIST standards (NIST SP 800-171 for Level 2 and NIST SP 800-172 for Level 3). This alignment aims to reduce complexity and enhance consistency with well-established frameworks.

3. Self-Assessments

Under CMMC 2.0, companies responsible for handling Federal Contract Information (FCI) at Level 1 are only required to perform annual self-assessments rather than requiring third-party certification from a certified third-party assessor organization (C3PAO). Note: CMMC Level 2 compliance requires a mix of self-assessments and third-party assessments depending on the type of information being handled.

4. Elimination of Certain Practices and Processes

The CMMC 2.0 framework is missing the maturity processes that were part of levels in CMMC 1.0 and instead focuses purely on cybersecurity practices, simplifying CMMC requirements.

Ultimately, the transition from CMMC 1.0 to CMMC 2.0 reflects a more streamlined and aligned approach to cybersecurity requirements for defense contractors.

Despite the reduction and simplification of levels, the importance of meeting these requirements cannot be stressed enough. CMMC compliance is not only essential for maintaining existing contracts and securing new ones with the DoD, but it is also critical for protecting sensitive information and maintaining the integrity and trustworthiness of the defense supply chain.

CMMC Requirements by Maturity Level

It’s crucial for defense contractors to understand the specific requirements of each CMMC maturity level prior to beginning the CMMC compliance and certification process (this includes understanding the difference between CMMC certification vs. CMMC compliance). Each of the three maturity levels in the CMMC 2.0 framework, Foundational, Advanced, and Expert, comes with its own set of practices and processes, tailored to progressively enhance a defense contractor’s cybersecurity posture in parallel with the sensitivity of the information they process and share with the DoD. The key requirements for each CMMC 2.0 maturity level include:

CMMC 2.0 Level 1 Requirements: Foundational Cybersecurity

CMMC Level 1 focuses on foundational cybersecurity practices for organizations that handle federal contract information (FCI). This level is intended for organizations seeking to demonstrate basic cyber hygiene. The key requirements are:

1. Basic Safeguarding Practices: Organizations must implement 17 practices aligned with the Federal Acquisition Regulation (FAR) 52.204-21, which includes fundamental safeguarding requirements for protecting FCI.
2. Access Control: Limit information system access to authorized users and devices.
3. Awareness and Training: Provide security awareness training to organizational personnel.
4. Configuration Management: Establish and maintain baseline configurations for organizational information systems.
5. Identification and Authentication: Identify information system users, processes, and devices, and verify their identities before granting access.
6. Media Protection: Protect information system media both during and after it is used.
7. Physical Protection: Limit physical access to information systems and their components.
8. Risk Assessment: Periodically assess and review risks to organizational operations.
9. Security Assessment: Perform periodic security assessments to ensure compliance with security requirements.
10. System and Communications Protection: Monitor, control, and protect organizational communications at external boundaries and key internal points.
11. System and Information Integrity: Identify, report, and correct information and information system flaws in a timely manner.

Overall, CMMC 2.0 Level 1 requires basic cybersecurity practices that should be familiar and straightforward for most organizations to implement, providing essential protection for handling FCI.

CMMC 2.0 Level 2 Requirements: Advanced Cybersecurity

CMMC Level 2 is intended for defense contractors that handle controlled unclassified information (CUI) as part of their contracts with the DoD. Here are the core requirements for achieving CMMC 2.0 Level 2:

1. Alignment with NIST SP 800-171: Level 2 primarily aligns with the 110 security practices outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). This includes controls across various domains such as access control, incident response, and risk management.
2. Assessment and Certification: Organizations must undergo a third-party assessment by a certified CMMC Third-Party Assessment Organization (C3PAO) to verify compliance. This is mandatory for contracts involving CUI.
3. Biannual Self-Assessments: Organizations are also required to conduct annual self-assessments to ensure ongoing compliance and improvements in their cybersecurity practices.

4. Documentation and Policy Development: Companies need to have documented policies and procedures that support each of the security practices. This includes regularly updated records and audit trails.

5. Risk Management: Organizations must implement a risk management approach that identifies, assesses, and manages cybersecurity risks continuously.

6. Incident Reporting: Procedures must be in place for reporting incidents to the DoD, ensuring timely communication and response to potential breaches.

7. Continuous Monitoring: Companies should have mechanisms in place for continuous monitoring of their information systems to detect and respond to security threats promptly.

8. Security Awareness and Training: Implement a security training program to ensure all employees understand their cybersecurity responsibilities and the importance of protecting CUI.

By fulfilling these requirements, organizations can ensure they are prepared to protect sensitive information and maintain eligibility for DoD contracts involving CUI.

CMMC 2.0 Level 3 Requirements: Expert Cybersecurity

CMMC Level 3 is intended for organizations that handle controlled unclassified information (CUI) and requires them to implement more advanced cybersecurity practices. The requirements for Level 3 are not fully detailed in public documentation yet, however, here’s a general overview based on the available information:

1. Alignment with NIST Standards: Level 3 aligns closely with NIST SP 800-172, which builds on the controls outlined in NIST SP 800-171 by focusing on advanced cybersecurity practices and protections.
2. Advanced Security Practices: Organizations must adhere to over 110 practices, including those from lower CMMC levels (Level 1 and Level 2), enhanced with additional requirements focusing on sophisticated threat detection and response.
3. Incident Response and Management: Robust incident response practices must be in place, with capabilities to manage and report cybersecurity incidents effectively.
4. Continuous Monitoring: Organizations must implement continuous monitoring systems to detect, respond, and recover from cybersecurity events swiftly.
5. Risk Management: A mature risk management framework is required to assess, prioritize, and mitigate risks continuously.
6. Expert Level Assessment: Organizations at this level must undergo triennial assessments conducted by certified third-party assessors.
7. Federal Contract Information (FCI) and CUI Protection: Organizations need to demonstrate strong capabilities in safeguarding both FCI and CUI.

Since these are high-level guidelines, organizations aiming for CMMC 2.0 Level 3 compliance should closely follow updates from the Department of Defense (DoD) and consult with cybersecurity experts to ensure they meet all specific requirements as they evolve.

CMMC Compliance Checklist

CMMC certification, the precursor to CMMC compliance, is a rigorous process. To become CMMC certified, companies must meet an extensive set of requirements laid out by the DoD. Below is our CMMC checklist of items that organizations must address and meet if they wish to achieve CMMC certification.

Assess the Appropriate CMMC Maturity Level for Your Organization

The first step to achieving CMMC 2.0 compliance is to determine which CMMC maturity level is most appropriate of your organization. The CMMC certification process is a tiered approach, and companies must choose the right level to pursue based on the sensitivity of the data they handle. There are three levels of CMMC certification (see above).

Perform a CMMC Self-assessment to Gauge Your Readiness for CMMC Compliance

Once you have determined the maturity level your organization wants or requires, the next step is to perform a self-assessment of your organization’s cybersecurity profile. This assessment should include a review of your organization’s cybersecurity maturity, including your policies and procedures, network security, access control, and incident response capabilities.

Leverage Other Cybersecurity Frameworks to Streamline CMMC Compliance Efforts

While achieving CMMC certification can be a complex process, organizations can make the transition easier by leveraging existing frameworks and certifications that align with CMMC requirements. CMMC was developed from existing frameworks, and there is significant overlap between CMMC and other established cybersecurity frameworks that are relied upon for regulatory compliance.

One such framework is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which provides a set of guidelines and best practices for managing and mitigating cybersecurity risks. By implementing the CSF, organizations can align their cybersecurity practices with CMMC requirements, which will likely make the certification process easier and more streamlined.

Other frameworks and certifications that can help organizations achieve CMMC certification include FedRAMP, FISMA, the International Organization for Standardization 27000 standards (ISO 27001), and NIST Special Publication 800-171. By leveraging these frameworks and certifications, organizations can ensure that they also improve their overall cybersecurity posture and can demonstrate compliance with CMMC requirements.

Build a Plan of Action and Milestones (POA&M) for CMMC Compliance

A Plan of Action and Milestones (POA&M) is a critical document that outlines an organization’s strategy to address its weaknesses and deficiencies in its cybersecurity measures. It plays a significant role in demonstrating CMMC compliance. Building a POA&M requires a series of steps. After you have identified the appropriate level, identify the gaps between your current cybersecurity posture and the required certifications. This requires a thorough assessment of your organization’s existing policies, procedures, and technical measures.

Based on the gaps identified, prioritize the areas that need to be addressed first. Then, develop a timeline for each task, including deadlines for completion of each action item. Assign tasks to team members with clear responsibilities and hold them accountable for staying on track. Lastly, document all the steps taken toward compliance and keep track of progress regularly, updating the plan of action and milestones as necessary. This approach ensures a structured and methodical approach to CMMC compliance, leading to better efficiency and timely results.

Develop a System Security Plan (SSP) to Achieve CMMC Compliance

To achieve CMMC compliance, organizations must create a system security plan (SSP) that includes details about each system in their IT environment that stores or transmits controlled unclassified information (CUI) in accordance with NIST 800-171.

The SSP outlines information flow between systems and authentication and authorization procedures, as well as company regulations, staff security obligations, network diagrams, and administrative duties. The SSP is a living document that must be updated whenever significant changes are made to a business’s security profile or procedures.

During the contract bidding and award process, the Defense Department evaluates contractors’ SSPs. To win DoD business, contractors must have an active and legitimate SSP.

Creating (and updating) the SSP can be a resource-intensive process, but it is essential for maintaining CMMC certification criteria. Therefore, contractors must ensure they have the necessary resources available to create and update the SSP.

Select a CMMC Third Party Assessor Organization to Ensure CMMC Compliance

After completing the self-assessment, you will need to select a CMMC Third Party Assessor Organization (C3PAOs). A C3PAO is an organization that has been authorized by the Accreditation Body (AB) to conduct CMMC assessments. The C3PAO will be responsible for assessing your organization’s compliance with the CMMC framework.

Partnering with a C3PAO is a critical step in the process of achieving CMMC compliance. There are however several C3PAOs in the marketplace, and selecting the right one can be overwhelming.

Here are some considerations to keep in mind while selecting and working with a C3PAO:

• Check the CMMC-AB website for a list of authorized C3PAOs
• Look for a C3PAO with experience in your industry
• Check the C3PAO’s accreditation status
• Ask for references and feedback from previous clients
• Consider their pricing structure

Once you have selected a C3PAO, you will need to work closely with them to achieve CMMC compliance. The C3PAO will provide guidance throughout the compliance process, and they will assess your organization’s compliance with the CMMC framework.

Set a Timeline for CMMC Compliance

The CMMC certification process is a time-consuming task, and companies must plan accordingly. Here are some factors that companies must keep in mind while planning the certification process:

• Organization size
• Current cybersecurity posture
• The certification process can take up to 12 months, depending on the level of certification
• The C3PAO performs a gap analysis before the actual assessment, which can take up to three months
• The certification process requires ongoing maintenance and periodic assessments

Allocate Sufficient Resources to Achieve CMMC Compliance

The CMMC certification process can be a costly affair in terms of both financial and personnel allocation, and companies must budget accordingly. Contractors should expect to incur costs related to cybersecurity assessments, remediation, and ongoing maintenance. Here are some factors that companies must keep in mind while planning their budget:

• The cost of the certification process can vary depending on the CMMC level
• The cost of hiring a C3PAO can vary depending on their experience and accreditation status
• The certification process requires ongoing maintenance, which can add to compliance costs

How to Prepare for a CMMC Assessment

There are specific steps organizations can take to prepare for a CMMC assessment. Some of these steps include:

• Understand NIST Requirements: NIST publishes security documentation freely on their website. As such, there is little or no reason that your organization needs to have a basic grasp of the categories of security controls that an assessment would investigate. If nothing else, having a person or group within your organization who can interface with assessors and the government will be critical.
• Perform a Gap Analysis: Hire a security firm to analyze your IT infrastructure and map out how it compares against CMMC requirements. This will provide a clear picture of where you are versus where you need to be so that you can make the required changes and upgrades.
• Conduct a Risk Assessment: While the standards of CMMC are clearly defined, you can consider industry standards or business goals before adopting them as a checklist. Conducting a risk assessment can help you understand what you need to implement for compliance without limiting your business’s ability to grow.
• Select a C3PAO: The CMMC Accreditation Body (CMMC-AB) provides an online marketplace directory of accredited C3PAOs. Use this utility to select a company you want to work with.

  However, the CMMC-AB disallows contractors to work with a C3PAO outside of their assessment relationship. For example, to avoid conflicts of interest, a C3PAO cannot provide consulting or cybersecurity IT work before their work assessing the company.

• Prepare for Ongoing Assessment: After the initial CMMC certification, your organization will be required to handle ongoing re-certification and monitoring. Depending on the maturity level of your certification, this could mean annual self-assessments or triannual C3PAO audits.

Cost of CMMC Compliance

Understanding the true cost of CMMC compliance is crucial for any organization seeking to work with the DoD. The cost can vary dramatically depending on several factors, such as the size of your organization, the complexity of your network infrastructure, and the level of CMMC compliance you are aiming to achieve. CMMC compliance costs might include cybersecurity upgrades, consultant fees, and additional training for staff.

Despite these expenses, achieving CMMC compliance is not only a requirement for DoD contractors but also a valuable investment in your organization’s cybersecurity posture. Subsequent to these initial costs, organizations must also consider the ongoing expenses that come with CMMC compliance. These may include regular cybersecurity audits, periodic network upgrades, and the need for continuous employee training to stay ahead of emerging threats. Additional costs could arise from maintaining the required documentation or if you choose to hire a third-party service provider to manage your compliance process.

One significant factor that affects the cost of CMMC compliance is the CMMC level that your organization aspires to achieve. The CMMC model consists of five levels, with Level 1 being the most basic and Level 5 being the most advanced. Each level requires a progressively more rigorous set of cybersecurity controls, meaning the cost will increase as you move up the levels. It is crucial for organizations to accurately assess their necessary level of compliance and budget accordingly.

Another cost consideration is the size and complexity of your organization. Larger organizations with complicated network infrastructures will likely face higher compliance costs due to the increased complexity of their cybersecurity needs. On the other hand, smaller organizations may find the cost more manageable, but should still be prepared to invest in necessary infrastructure and training to ensure compliance.

While the cost of CMMC compliance can be considerable, it’s essential to view it, once again, as an investment in your organization’s future rather than just an expense. By achieving CMMC compliance, your organization not only meets the requirements to work with the DoD, but also significantly strengthens its overall cybersecurity, potentially avoiding costly cyber-attacks down the line. Therefore, while managing and planning for the cost of CMMC compliance may be challenging, the potential benefits far outweigh the initial and ongoing costs. Furthermore, non-compliance can lead to loss of business with the DoD, which can be a major blow for organizations relying on these contracts, making the cost of compliance a worthwhile investment.

Get Ready for CMMC Compliance With Kiteworks

Modern, data-driven businesses will rely on secure and frictionless IT infrastructure to support their operations. When it comes to government contractors, this means using secure file sharing solutions that are CMMC-compliant.

The Kiteworks Private Content Network is just such a solution.

With Kiteworks, defense contractors and other organizations operating in highly regulated industries get secure, using our exclusive Private Content Network. This private and protected communication platform provides organizations with secure and compliant email, file sharing, managed file transfer (MFT), web forms, and application programming interfaces (APIs).

Kiteworks features a hardened virtual appliance, end-to-end encryption, secure deployment options including a FedRAMP virtual private cloud, granular controls, authentication, security infrastructure integrations, and comprehensive logging and audit reporting enable organizations to demonstrate compliance with security standards easily and securely.

Kiteworks helps organizations demonstrate compliance with numerous federal and international data privacy regulations and standards that include FedRAMP, Federal Information Processing Standards (FIPS), FISMA, ITAR, the General Data Protection Regulation (GDPR), Australia’s Information Security Registered Assessors Program (IRAP), NIST CSF, ISO 27001, UK Cyber Essentials Plus, the European Union’s NIS 2 Directive, and many more.

Finally, Kiteworks enables DoD contractors and subcontractors in the DIB to achieve compliance with nearly 90% of CMMC Level 2 practices right out of the box.

Request a custom demo to learn more about Kiteworks and how the Private Content Network can help you achieve your CMMC compliance requirements, including demonstrating compliance with CMMC 2.0 Level 2.

Additional Resources

• Blog Post A Roadmap for CMMC 2.0 Compliance for DoD Contractors
• Blog Post 12 Things Defense Industrial Base Suppliers Need to Know When Preparing for CMMC 2.0 Compliance
• Guide CMMC 2.0 Compliance Mapping for Sensitive Content Communications
• Video Join the Kiteworks Discord Server and Connect With Like-minded Professionals for CMMC 2.0 Compliance Support
• Blog Post Navigating the Road to CMMC Level 2 Compliance: Insights and Tips From an Expert