Last updated on July 18th, 2023 at 3:50pm
The below post (first published in 2021) has been updated to reflect CMMC 2.0.
The Cybersecurity Maturity Model Certification (CMMC) framework consists of cybersecurity best practices and maturity processes.
What is a CMMC Framework?
This framework is intended to protect federal contract information (FCI) and controlled unclassified information (CUI) with a goal of increasing assurance that federal contractors, and subcontractors within the supply chain, can adequately protect this information.
The Evolution of CMMC
The steady march forward of CMMC—despite some grumblings and internal reviews – signals big changes for organizations doing business with the Department of Defense (DoD).
A key element in CMMC is the move away from the self-attestation model of prior efforts to a higher level of certification of contractors and subcontractors through a third party. Certification can be sought and achieved at one of three levels, ranging from basic hygiene (like anti-virus software) at Level 1 to the ability to detect and respond to advanced persistent threats (APTs) at Level 3.
Note: When comparing CMMC 1.0 to CMMC 2.0, you’ll note the biggest change is a reduction from 5 levels in CMMC 1.0 to 3 levels in CMMC 2.0. Below is an overview to illustrate this change, and a more detailed view of the particulars of each level.
Requirements at these levels will be familiar to many organizations. For example, CMMC 2.0 Level 2, includes the requirements specified in National Institute of Standards and Technology (NIST) SP 800-171 and other NIST publications. CMMC certification verifies the implementation of processes and practices at a particular level.
The Three Levels of a CMMC 2.0 Framework
As with most large-scale frameworks, ongoing internal review may slow some implementation efforts, but there’s little doubt change is coming that will impact all DoD suppliers looking to get contract awards.
CMMC 2.0 is currently within the rulemaking process, and the DoD has indicated they do not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the rulemaking process. So, while CMMC 2.0 is not a contractual requirement now, it will be. Estimates from the DoD currently point to a 2024 implementation.
At the conclusion of rulemaking, all DoD contracts are likely to contain CMMC requirements, and there is a possibility that other agencies will also adopt CMMC. Prime contractors must be worried about both their own certification and those of their subcontractors. Subcontractors might be facing third-party certification requirements for the first time. Satisfying CMMC requirements along with the growing demand to move workloads to the cloud presents critical challenges for the defense industrial base to overcome.
The Challenges with Ensuring and Maintaining Cloud Compliance
Cloud infrastructure and resource compliance is complex. Whether you are required to follow established guidelines such as FedRAMP or HIPAA or define your own standards, the sheer number of policies and resources in the cloud makes manual tracking a logistical nightmare. NIST SP 800-171 alone—a standard that makes up much of CMMC Levels 2 and 3—includes 110 policies, and each policy can apply to multiple resources. According to one study, 77% of IT decision makers believe that they would not pass all their cloud compliance audits for cloud resources.
With the dynamic nature of the cloud, achieving compliance at one moment in time doesn’t ensure compliance going forward. You could spend hundreds of hours tracking compliance manually. If you don’t, you risk non-compliance, which leaves you exposed to potential security breaches or even civil or criminal penalties if you violate guidelines required by law. CMMC 2.0 requirements add the potential inability to compete for contract awards as a ramification of failed audits.
Kion helps you overcome these cloud compliance difficulties.
Download our PDF to learn more about how Kion can help you achieve CMMC compliance and what's included in our CMMC 2.0 Jumpstart.