I recently had the pleasure of sitting down with Chase Deatherage, a Virtual Compliance Manager from DOT Security, to discuss the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) program that is now official, and will soon be enforceable, but isn’t yet being mandated in contracts.
In short, CMMC is designed to enforce the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared by the DoD with its contractors and subcontractors. This provides the DoD with increased confidence that contractors and subcontractors are meeting the cybersecurity requirements for processing CUI.
As such, if you work with government contracts or plan to, it’s high time to invest in compliance to ensure that your cybersecurity protocols meet the expected standards.
Read his full thoughts on CMMC 2.0 compliance in the Q&A below.
Learn why cybersecurity is a business necessity in Impact’s webinar, The Safety Debate: Cybersecurity Expert vs. Business Leader.
1. What Is CMMC 2.0 and How Does it Differ from Earlier Versions?
“The cybersecurity maturity model certification is really designed to allow organizations to contract with the DoD and defense related contracts while proving their ability to responsibly and securely handle sensitive information. CMMC 2.0 is based on NIST 800-171 revision 2, which is a security framework that was meant to provide cybersecurity expectations for government contractors.
However, before CMMC, the DoD couldn’t enforce the cybersecurity requirements. While NIST 800-171 was in contracts, the DoD couldn’t force an audit to see if companies are actually implementing NIST 800-171
The first version was previously split into five different layers. Now though, it’s been simplified into three main layers. At the end of the day, NIST 800-171 is the core, and the three new layers are known as foundational, advanced, and expert.
CMMC level one is the foundational level and covers the first basic 17 controls notated within NIST 800-171 and FAR clause 52.204-21. Level two means you’re implementing the entirety of NIST 800-171, which is the full 110 controls with the 17 foundational controls included, of course. Then level three means you’re meeting an additional 30 or so controls as outlined by NIST 800-172.
The main difference is really in the consolidation between the levels. Collapsing from the original five levels of CMMC, to three allows CMMC 2.0 to be focused on the most critical requirements. This also reduces confusion and creates a more streamlined model.”
2. What Does the CMMC Assessment Process Look Like?
“Since CMMC is now an official program, even though it’s still not enforceable because the government needs to update the DFARS contract clause 252.204-7021.
So as of now, in order to get assessed for CMMC, you should be meeting around 80% of the NIST 800-171 controls at bare minimum, so around 88 of the 110. Once you think your organization is implementing 88 or more of the 110 controls, you can reach out to what’s called a C3PAO (Certified Third-Party Assessor Organization) which you can find on the Cyber AB Marketplace.
It’s also important to note that if they’re not on that marketplace, they’re not a C3PAO.
Once you’ve reached out to a C3PAO, they’ll work with you on submitting the proper documentation, like an SSP (system security plan) and POAMs (plans of actions and milestones) if you’re under 100% compliant. If you believe you already meet all 110 controls, however, you won’t need to submit POAMs because all 110 controls are fully implemented.
In short, a system security plan briefly explains how each control is implemented across your systems, while POAMs provide a roadmap on how you plan to meet compliance or implement controls.
After the documentation is reviewed, the assessor will determine if the evidence you’ve provided is sufficient. If it is, and the C3PAO believes you to be at least 80% compliant, they’ll then move forward with planning and conducting the actual assessment.
At this stage, they’re not checking if the controls are compliant, rather sufficient, which is an important distinction to make. Sufficient could be as simple as having a defined password policy, while compliance requires that password policy to meet certain complexity requirements.
Once the assessment is conducted, your C3PAO generates a report based on the findings, at which point you may be found compliant, and you’re essentially good to go. More likely though, if you’re not found to be 100% compliant, the generated report will give you a score based on the total risk of your network.
This risk score is based on a scale, where certain controls or vulnerabilities are rated as –1, -3, or –5, with –5 being the most critical and –1 being the least. While failing a –5 risk will result in failing the assessment completely, organizations can create POAMs for –1 risks, which they’ll have 180 days to address and validate, resulting in certification.
If those fixes aren’t implemented, the organization fails the assessment and must start from scratch.”
3. What’s the Difference Between CMMC 2.0 Level 2 and Level 3?
“Going from CMMC level two compliance to level three is a little different, mainly because it’s so niche. The large majority of organizations that need to be CMMC compliant will be compliant with level two. Realistically, out of the 1000’s and 1000’s of CMMC compliant organizations, maybe only 100 or so will need to be compliant with level three.
Level three compliance is a lot more stringent because at that point, you’re likely dealing with highly sensitive information that needs additional safeguards to be kept secure.
In order for an organization to even be considered for a level three assessment, they first have to go through the entire assessment process for level two compliance and complete full certification.
Once an organization is fully certified as CMMC level two compliant, they can then apply for a level three assessment. At this point, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will come in and conduct the assessment instead of a third-party assessor, and that’s another major differentiator, the government-conducted assessment.
Again, when we’re talking about level three compliant organizations, we’re discussing entities that are most likely working directly with the government on highly sensitive projects.”
4. How Long Does the Assessment Process Take?
“On the generous side of things, the assessment process is going to take around two to three months if everything goes really smoothly. Typically, though, I tell clients the assessment process is going to take around 18-24 months, especially if there’s remediation to do. And this timeline starts with engaging the C3PAO after remediating at least 80% of the 110 controls and extends through the initial assessment and report.
Of course, if the organization fails the assessment and enters the remediation window, then this whole process can last for an additional 180 days, as they take steps to address the discovered gaps.”
5. What’s the Most Common Obstacle Faced by Organizations Pursuing Compliance?
“Honestly, the biggest thing is just getting started. I mean, CMMC is only now becoming an official program, but it was started with NIST 800-171 back in 2017, so it’s been around for about eight years. Since it hasn’t been official until recently, and still isn’t enforceable, contractors were expected to self-attest compliance by a deadline, though enforcement was almost non-existent.
This isn’t going away. In fact, it’s going to be written into contracts as soon as late Q1 2025, which means it will also be enforceable. The longer an organization waits, the more they’re putting themselves further behind. And y’know, there’s a reality where non-compliance causes you to lose business.
Then there’s also the cost, right? Like it can be labor and cost-intensive to remediate all these controls. And the costs can add up quickly, but that’s where you start to look at the revenue generated by your compliant required contracts, and it becomes more of a true business decision.”
6. Is There a Roll-Out Period?
“Yeah, there will definitely be a roll-out period, because the DoD can’t put a stop to the manufacturing of parts - they need a middle ground which is the 4-year roll out period that the DoD has settled on.
Essentially though, there will be a four-year roll-out period where CMMC compliance is phased into new contracts, giving companies a comfortable window to become compliant.”
7. Do You Have Any Advice for Companies Looking to Become CMMC 2.0 Compliant?
“High level – if you don’t know where to start or don’t have an in-house expert just get a consultant. At bare minimum. Y’know CMMC is here. It’s coming. There aren’t any ifs, ands, or buts about it. So get a consultant and go through the process. It might be a heavy lift, financially or even just a heavy labor investment – but no matter what, it will be a time commitment. I mean on average; this could be a 1000+ hour labor investment.
I think that’s the main thing: it takes a long time. Again, this whole process can take 18-24 months, and I don’t think that reality is sinking in for a lot of organizations.
But that’s where working with a consultant can be helpful. Not only will it make organizing and managing the certification process a lot easier, but it can also help accelerate certain aspects of the process.
So, at the end of the day – I really do think working with a consultant makes the whole CMMC certification process much smoother from start to finish.”
A Final Note on CMMC 2.0 Compliance
That wraps up my conversation with Virtual Compliance Manager, Chase Deatherage on CMMC 2.0 and its implications for government contractors and subcontractors. With enforcement on the horizon, compliance is no longer optional.
Organizations that take proactive steps now will be better positioned to secure contracts and protect the sensitive data with which they work.
If your organization works with the government in any capacity, now is the time to audit your cybersecurity protocols and get the ball rolling on your compliance journey.
Having a layered cybersecurity strategy in place is becoming a business best-practice regardless of your industry. Find out more about the role of cybersecurity in business by watching Impact’s webinar, The Safety Debate: Cybersecurity Expert vs. Business Leader.
