Key Details: Earlier this November, the Department of Defense (DOD) released new cybersecurity guidance titled “Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program.” The goal of this was to enhance CMMC 1.0 and move to CMMC 2.0 by simplifying standards, clarifying regulations, and increasing DOD oversight. Ryan & Wetmore recently covered the announcement of CMMC 2.0 here. This article contains information regarding the overall purpose of CMMC 2.0, a description of the three levels in the model, the potential changes to be implemented, and the timeline and rulemaking process for CMMC 2.0.
Updated CMMC 2.0 Program Documentation
The DOD has now released updated program documentation that is highly relevant to defense contractors. These requirements will not be contractual until the DOD completes the rulemaking and implementation process which is estimated to range between 9 to 24 months. However, defense contractors should review the updated documentation and resources provided by the DOD ahead of time to ensure compliance is met once the rulemaking process is completed to continue competing for contracts.
Furthermore, contractors should perform a self-assessment to understand how their cybersecurity infrastructure compares to the various levels of CMMC 2.0 to understand if any improvements are required. The DOD’s updated program documentation includes the following items:
- CMMC 2.0 Overview
- CMMC 2.0 Spreadsheet and Mapping
- CMMC Glossary
- CMMC Level 1 Scoping Guidance
- CMMC Level 2 Scoping Guidance
- CMMC Level 1 Self-Assessment Guide
- CMMC Level 2 Self-Assessment Guide
Updated CMMC 2.0 Overview Document
This document provides information regarding CMMC 2.0 levels, domains, practices, and various appendices to help contractors shift into this new framework. Contractors are encouraged to review this document as it presents a quick and easy overview of the requirements under each level of CMMC 2.0.
The model is presented in matrix format in Appendix A, sorted by domain for each level. This matrix is also provided in Excel format for contractors to easily map out their current level of compliance. The spreadsheet can be found here and is called CMMC 2.0 Spreadsheet and Mapping.
Contractors who already have mature cybersecurity standards are encouraged to review Appendix B of this document to map their current compliance onto CMMC 2.0 standards. In Appendix B, the DOD has provided a way for contractors to identify which CMMC practices correspond to other cybersecurity frameworks that the contractor may already be using.
The DOD has also provided contractors with scoping guidance for both CMMC Level 1 and CMMC Level 2. For contractors at level 1 of CMMC 2.0, a self-assessment scope must be specified. This documents the assets within the contractor’s cybersecurity environment that will be assessed, as well as the details of the self-assessment.
The Level 2 scoping guidance document provides contractors with information regarding the categorization of assets that then inform the specification of the assessment scope. It also provides information about the requirements for contractors, CMMC assessment, and asset categorization. Contractors are encouraged to review the scoping assessment document for their corresponding level to learn more about how assessments are conducted.
Self-Assessment Guides in the Updated CMMC 2.0
Self-assessment guides were created for both Level 1 and Level 2 of the Model, the DOD has noted that the Level 3 self-assessment guide is still under development. The Level 1 self-assessment guide contains information on compliance, assessment scope, criteria, methodology, as well as other practice and access control descriptions.
The Level 2 self-assessment guide provides similar information as well as information on areas such as awareness and training, audit and accountability, configuration management, incidence response, and risk assessment, among others. Contractors are encouraged to review these guides in preparation for future assessments to be conducted. It is important to note that once CMMC 2.0 is implemented, self-assessments (under Level 1 and a portion of Level 2) will be required annually. Furthermore, third-party assessments (under a portion of Level 2 and all of Level 3) will be required on a triennial basis.
Action Items and Conclusion:
As CMMC 2.0 includes some major departures from the original CMMC, contractors are encouraged to thoroughly review the resources provided by the DOD to remain compliant and competitive. The above assessment guidance provides an opportunity for defense contractors to stay ahead of the rulemaking process by understanding how their cybersecurity infrastructure is currently functioning. Contractors are encouraged to perform the following activities ahead of the implementation of CMMC 2.0:
- Understanding which CMMC 2.0 level you will be operating under.
- Reviewing which assets in your cybersecurity environment will be assessed by reading the scoping guidance.
- Understanding the specific terms associated with CMMC 2.0 by reviewing the glossary provided by the DOD.
- Using the self-assessment guides to understand the assessment criteria and the methodology of assessments for each level. Performing a self-assessment of the assets that will be examined to understand where your cybersecurity infrastructure may need additional attention.
- Ensuring you have an appropriate CMMC Third-Party Organization (C3PAO) and Certified Assessor to acquire a CMMC Level 2 Certification.
For further information or assistance, please contact Ryan & Wetmore.
Today’s Thought Leaders
Contact us today by calling
About Peter Ryan
Partner, Co-founder, & CPA
Peter T. Ryan co-founded Ryan & Wetmore in 1988 with business partner Michael J. Wetmore. Peter provides clients with the best strategies for success. His expertise extends across various industries, including government contracting. Peter obtained a Master of Business Administration in Finance from the University of Baltimore and a Bachelor of Arts in Accounting from the Catholic University of America.
Read Pete’s full bio.
About Rosie Cheng
Rosie Cheng is a Finance Consultant at Ryan & Wetmore. She focuses on government contracting services and produces many of the firm’s government contracting newsletters. Rosie graduated from Georgetown University with a Master of Science in Management and from William and Mary with a Bachelor of Business Administration.