Last updated on January 3rd, 2024 at 12:32pm
January 2024 Update:
In late December 2023, the government issued its proposed final rule on CMMC 2.0. Comments on this rule are due February 26, 2024.
The DoD is implementing a four-phased implementation for CMMC, introducing CMMC requirements in solicitations over a three-year period. The Department anticipates it will take two years for companies with existing contracts to become CMMC certified.
Here is a synopsis of key points for each phase:
- Phase 1. Begins on the effective date of the CMMC revision to DFARS 252.2047021. DoD intends to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for all applicable DoD solicitations and contracts as a condition of contract award.
- Phase 2. This phase introduces third-party assessment requirements and begins six months following the start date of Phase 1. In addition to Phase 1 requirements, DoD intends to include CMMC Level 2 Certification Assessment for all applicable DoD solicitations and contracts as a condition of contract award. DoD may also, at its discretion, include CMMC Level 3 Certification Assessment for applicable DoD solicitations and contracts.
- Phase 3. This phase begins to introduce DoD-led assessments (vs third-party groups) and begins one calendar year following the start date of Phase 2. In addition to Phase 1 and 2 requirements, DoD intends to include CMMC Level 2 Certification Assessment for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded prior to the effective date. DoD intends to include CMMC Level 3 Certification Assessment for all applicable DoD solicitations and contracts as a condition of contract award.
- Phase 4, Full Implementation. Begins one calendar year following the start date of Phase 3. DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4.
Regarding the timeline for a final rule, DoD officials have previously said they don’t expect to issue a final rule until fall 2024.
The Cybersecurity Maturity Model Certification (CMMC) framework consists of cybersecurity best practices and maturity processes.
What is a CMMC Framework?
This framework is intended to protect federal contract information (FCI) and controlled unclassified information (CUI) with a goal of increasing assurance that federal contractors, and subcontractors within the supply chain, can adequately protect this information.
The Evolution of CMMC
The steady march forward of CMMC—despite some grumblings and internal reviews – signals big changes for organizations doing business with the Department of Defense (DoD).
A key element in CMMC is the move away from the self-attestation model of prior efforts to a higher level of certification of contractors and subcontractors through a third party. Certification can be sought and achieved at one of three levels, ranging from basic hygiene (like anti-virus software) at Level 1 to the ability to detect and respond to advanced persistent threats (APTs) at Level 3.
Note: When comparing CMMC 1.0 to CMMC 2.0, you’ll note the biggest change is a reduction from 5 levels in CMMC 1.0 to 3 levels in CMMC 2.0. Below is an overview to illustrate this change, and a more detailed view of the particulars of each level.
Requirements at these levels will be familiar to many organizations. For example, CMMC 2.0 Level 2, includes the requirements specified in National Institute of Standards and Technology (NIST) SP 800-171 and other NIST publications. CMMC certification verifies the implementation of processes and practices at a particular level.
The Three Levels of a CMMC 2.0 Framework
As with most large-scale frameworks, ongoing internal review may slow some implementation efforts, but there’s little doubt change is coming that will impact all DoD suppliers looking to get contract awards.
CMMC 2.0 is currently within the rulemaking process, and the DoD has indicated they do not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the rulemaking process. So, while CMMC 2.0 is not a contractual requirement now, it will be. Estimates from the DoD currently point to a 2024 implementation.
At the conclusion of rulemaking, all DoD contracts are likely to contain CMMC requirements, and there is a possibility that other agencies will also adopt CMMC. Prime contractors must be worried about both their own certification and those of their subcontractors. Subcontractors might be facing third-party certification requirements for the first time. Satisfying CMMC requirements along with the growing demand to move workloads to the cloud presents critical challenges for the defense industrial base to overcome.
The Challenges with Ensuring and Maintaining Cloud Compliance
Cloud infrastructure and resource compliance is complex. Whether you are required to follow established guidelines such as FedRAMP or HIPAA or define your own standards, the sheer number of policies and resources in the cloud makes manual tracking a logistical nightmare. NIST SP 800-171 alone—a standard that makes up much of CMMC Levels 2 and 3—includes 110 policies, and each policy can apply to multiple resources. According to one study, 77% of IT decision makers believe that they would not pass all their cloud compliance audits for cloud resources.
With the dynamic nature of the cloud, achieving compliance at one moment in time doesn’t ensure compliance going forward. You could spend hundreds of hours tracking compliance manually. If you don’t, you risk non-compliance, which leaves you exposed to potential security breaches or even civil or criminal penalties if you violate guidelines required by law. CMMC 2.0 requirements add the potential inability to compete for contract awards as a ramification of failed audits.
Kion helps you overcome these cloud compliance difficulties.
Download our PDF to learn more about how Kion can help you achieve CMMC compliance and what's included in our CMMC 2.0 Jumpstart.