As the CMMC framework evolved, feedback and insights from industry stakeholders played a crucial role in shaping its trajectory. The transition from CMMC 1.0 to the latest iteration involved a thorough review and consideration of public comments, leading to significant refinements. In this latest release, the CMMC framework, now known as CMMC 2.0, reflects a more streamlined and focused approach. It retains the core objective of safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) but with revisions for greater clarity and feasibility. Key changes include the consolidation of maturity levels and the introduction of more precise assessment requirements. This evolution signifies the DoD's commitment to adapt and refine its strategies in response to the dynamic cybersecurity landscape, aiming to strike a balance between rigorous security measures and practical implementation for defense contractors.
The journey from CMMC 1.0 in 2020 to the current version exemplifies a proactive and responsive approach to cybersecurity, underscoring the critical importance of continuous improvement in defense sector security protocols.
Core Features of the proposed CMMC Rule
Tiered Model of Cybersecurity Standards
The proposed CMMC rule re-introduces a tiered model, categorizing cybersecurity standards into different levels based on the sensitivity of the information handled by contractors. This model ensures a scalable and appropriate set of requirements for various types of information, from Federal Contract Information (FCI) to Controlled Unclassified Information (CUI).
Assessment Requirements
A significant change in in the CMMC Rule is the shift from self-attestation to mandatory independent third-party assessments for higher levels. These assessments verify the implementation of cybersecurity standards, ensuring that contractors not only comply on paper but in practice.
For CMMC Level 2 (for the sharing of CUI) the frequency of assessments depends on the type of assessment required for your contract. There are two types of assessments for CMMC Level 2: Self-Assessment and Certification Assessment.
Self-Assessment: If your contract requires a CMMC Level 2 Self-Assessment, this needs to be performed on a triennial basis, meaning once every three years. After conducting the self-assessment, the results must be entered electronically in the Supplier Performance Risk System (SPRS).
Certification Assessment: If your contract requires a CMMC Level 2 Certification Assessment, this is conducted by an independent third-party assessor. The certification obtained from this assessment is also valid for up to three years.
Therefore, regardless of the assessment type, for CMMC Level 2, you are required to undergo an assessment process every three years to maintain compliance.
For CMMC Level 3, the assessment frequency is set to ensure ongoing compliance and security. Under CMMC, contractors at Level 3 are required to undergo an assessment by the Department of Defense (DoD) assessors. The certification obtained from this Level 3 assessment is valid for a period of up to three years.
This means that for maintaining compliance with CMMC Level 3, contractors need to be reassessed every three years. This triennial assessment cycle is crucial for ensuring that the advanced cybersecurity practices and controls required at Level 3 are consistently maintained and updated in response to evolving cyber threats and changes in technology.
Implementation Through Contracts
CMMC requirements are integrated into defense contracts, making compliance a prerequisite for contract eligibility. This approach ensures that cybersecurity standards are not an afterthought but a fundamental criterion in the defense contracting process.
Understanding the Levels of the Proposed CMMC Rule
Central to this framework are the CMMC levels, each representing a distinct set of requirements and practices aimed at enhancing the cybersecurity posture of defense contractors. It's important to note that these levels are the same as the CMMC 2.0 requirements, ensuring a standardized approach to protecting sensitive information. This introduction will explore the three pivotal levels of CMMC 2.0 – Level 1: Basic Cyber Hygiene, Level 2: Intermediate Cyber Hygiene, and Level 3: Advanced Cyber Hygiene.
Each level escalates in complexity and rigor, reflecting the increasing need for comprehensive security measures in the face of evolving cyber threats. From implementing basic security controls to adhering to advanced NIST standards, these levels provide a clear roadmap for contractors to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), ensuring compliance and enhancing overall cyber resilience.
Level 1: Basic Cyber Hygiene
Level 1 focuses on basic cybersecurity practices to protect FCI. It requires contractors to implement 15 security controls and conduct annual self-assessments.
Level 2: Intermediate Cyber Hygiene
Level 2 aligns with NIST SP 800–171 Rev 2, involving 110 security requirements for protecting CUI. Contractors must undergo either self-assessment or third-party certification, depending on the contract's sensitivity.
Level 3: Advanced Cyber Hygiene
This level introduces additional security requirements from NIST SP 800–172. It's designed for contracts involving highly sensitive information, requiring rigorous DoD assessments.
Delving Deeper into FedRAMP Equivalency in the proposed CMMC Rule
One "Easter egg" of the Cybersecurity Maturity Model Certification (CMMC) rule , as proposed by the Department of Defense (DoD), is the official definition of FedRAMP Moderate Equivalency. The rule places significant emphasis on FedRAMP equivalency, especially for defense contractors utilizing cloud services. Understanding the intricacies of achieving this equivalency is crucial for contractors to ensure compliance and maintain eligibility for DoD contracts.
Defining FedRAMP Moderate Equivalency (Finally!)
Up until this point, organizations have had no government-provided definition for FedRAMP equivalency. Organizations were making their best guess. In this document, a critical aspect of CMMC is its emphasis on FedRAMP equivalency for cloud services. FedRAMP (Federal Risk and Authorization secure file sharing with clients Management Program) sets standards for Cloud Service Providers (CSPs) handling federal data. Under CMMC, defense contractors using CSPs must ensure these providers meet or exceed FedRAMP's Moderate Baseline standards. FedRAMP equivalency, a vital component of CMMC, is defined as follows:
"Equivalency is met if the OSA* has the Cloud Service Provider's (CSP) System Security Plan (SSP) or other security documentation that describes the system environment, system responsibilities, the current status of the Moderate baseline controls required for the system, and a Customer Responsibility Matrix (CRM) that summarizes how each control is MET and which party is responsible for maintaining that control that maps to the NIST SP 800–171 Rev 2 requirements."
*OSA is the Organization Seeking Assessment (the defense contractor)
Breaking Down the Three Components of FedRAMP Moderate Equivalency
1. System Security Plan (SSP)
Description of the System Environment: The SSP must provide a comprehensive overview of the cloud environment, detailing how the CSP's infrastructure, software, people, and processes interact to protect data.
System Responsibilities: Clearly defined roles and responsibilities are essential. The SSP should delineate the security responsibilities of the CSP and the contractor, ensuring no gaps in accountability.
2. Status of Moderate Baseline Controls
Current Status: The documentation must include a thorough evaluation of the CSP's current security controls against the FedRAMP Moderate baseline.
Control Implementation: It's not enough to just list the controls; the documentation must demonstrate how each control is implemented in the CSP's environment.
3. Customer Responsibility Matrix (CRM)
Control Summary: The CRM plays a pivotal role in mapping out how each of the 110 NIST SP 800-171 controls (and, in the case of CMMC Level 3, also each of the 24 NIST SP 800-172 controls) is met. It should provide a clear, concise summary of the implementation status of each control as it relates to the cloud service being provided.
Responsibility Allocation: The CRM must specify which party (the CSP or the OSA) is responsible for managing and maintaining each control. This clarity is crucial for ensuring continuous compliance and facilitating audits or assessments.
Achieving and Demonstrating Equivalency
Collaboration with CSPs
Contractors must work closely with their CSPs to ensure that the necessary security measures are in place and properly documented. This collaboration is key to developing an SSP and CRM that meet the DoD's requirements.
Continuous Monitoring and Updating
Achieving equivalency is not a one-time event. Contractors must ensure ongoing compliance by regularly reviewing and updating their SSP and CRM in response to changes in the cloud environment or emerging threats.
Documentation and Transparency
Maintaining detailed and up-to-date documentation is critical. Contractors should be prepared to present their SSP and CRM to the OSA or other DoD entities to demonstrate compliance.
Alignment with NIST SP 800–171 Rev 2
The CRM, in particular, must clearly map each control to the NIST SP 800–171 Rev 2 requirements, ensuring that all necessary security measures for protecting CUI are in place and accounted for.
Meeting the Equivalency
FedRAMP
%20Logos%202022/sharetru-color-logo.svg){kind=logo}