Cybersecurity is a crucial concern for many businesses, especially aerospace and defense companies. Ensuring data security protects not only the reputation of the organization but also its customers and stakeholders. To achieve this, the United States Department of Defense (DoD) has created a cybersecurity framework known as the Cybersecurity Maturity Model Certification (CMMC).
Let us explore the different levels of CMMC 2.0 and the steps businesses can take to achieve compliance.
What Is CMMC 2.0?
CMMC 2.0 is a cybersecurity framework that safeguards sensitive, unclassified national security information held by the defense industrial base (DIB). Due to more frequent and complex cyberattacks, the DoD created CMMC 2.0 with streamlined requirements, such as:
- Simplified compliance, in some cases allowing self-assessment
- Prioritizing protection of DoD information
- Reinforced cooperation between the defense industry and DoD regarding evolving threats
The framework includes cyber protection standards that aim to protect against advanced persistent threats (APTs) and incorporates several updates from the previous version, CMMC 1.0. These updates address:
- Improving accountability while reducing barriers to compliance with DoD CMMC requirements
- Protecting sensitive information, such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI)
- Continually improving DIB cybersecurity to address evolving threats
When implemented into acquisition programs, CMMC 2.0 standards help ensure contractors and subcontractors meet DoD cybersecurity requirements.
Differences/Additions From CMMC 2.0 Level 1 (Scale)
CMMC 1.0 originally had five levels of maturity, but CMMC 2.0 has eliminated two, leaving three levels. These changes aim to reduce red tape and costs, boost trust in CMMC assessments, and align cybersecurity requirements with other federal standards. Here is an overview of each maturity level of CMMC 2.0.
The requirements for this level include affirmation by company leadership and a yearly self-assessment. There are no changes to the 17 basic cyber hygiene best practices.
This level has replaced CMMC 1.0 Level 3, with 20 controls eliminated from the original Level 3 requirements. Thus, contractors only need to implement NIST 800-171’s 110 controls.
The DoD will designate the prioritized acquisitions that require an independent third-party evaluation based on the new Level 2 requirements. Non-prioritized acquisitions are only required to conduct a self-evaluation and affirmation by their own leaders.
This new Level 3 will take the place of CMMC 1.0 Levels 4 and 5. Although the specifics are not yet finalized, it’s likely to incorporate measures from NIST SP 800-172, and evaluations will be conducted by the government.
CMMC 1.0 mandated that all DoD contractors undergo third-party assessments to ensure compliance, but CMMC 2.0 eases these requirements for businesses that don’t handle information in relation to prioritized acquisitions.
Based on the specific CMMC 2.0 level, this is how assessments will now be carried out:
- Level 1: Most Level 1 contractors, as well as a subgroup of Level 2 contractors, can carry out annual DIB self-assessments.
- Level 2: Non-prioritized acquisitions will complete self-assessments and submit affirmations by company leadership to the DoD. Organizations with priorized acquisitions need to obtain third-party certifications every three years.
- Level 3: All Level 3 contractors must undergo triennial assessments done by government officials.
Key Features of CMMC 2.0
CMMC 2.0 provides several key benefits to DIB companies.
CMMC 2.0 features a streamlined model that focuses on critical requirements, reducing the total number of compliance levels from five to three. The framework aligns with widely accepted cybersecurity standards set by the National Institute of Standards and Technology (NIST).
The revised framework lowers assessment costs by enabling most organizations at Level 1 and some at Level 2 to prove compliance through annual self-assessments. This helps to reduce the financial burden of third-party assessments. CMMC 2.0 also increases oversight of the standards of third-party assessors.
CMMC 2.0 provides flexible implementation options. Under some circumstances, companies can create Plans of Action and Milestones (POA&Ms) to obtain certification. The government can also waive the inclusion of CMMC requirements in some circumstances. Each level now is structured in tiers, where each level builds on the previous one based on required controls and practices.
Defense Manufacturing by Ardel Engineering
As a defense contractor, Ardel Engineering is committed to delivering the highest quality aerospace and defense products to our customers while maintaining tight confidentiality and data security.
We are ISO certified and ITAR registered, learn more about our capabilities.