Article

CMMC 2.0 Frequently Asked Questions and What You Need to Know to Prepare for Compliance

calendar iconMarch 7, 2024

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard for Department of Defense (DoD) acquisitions aimed at securing the Defense Industrial Base (DIB) supply chain. The “CMMC 2.0” framework consists of three levels and can require an independent third-party certification by an accredited organization.

On December 26, 2023, the proposed final rule for the CMMC Program, CFR Part 170, was published in the Federal Register. The rule may be implemented as early as March 2025. CMMC may take longer than many companies realize so the keys to success are readiness and preparation.

Cherry Bekaert is an authorized CMMC Third-Party Assessment Organization (C3PAO) by the Cybersecurity Maturity Model Certification Accreditation Body, Inc. (The Cyber AB). We assist Organizations Seeking Certification (OSCs) with CMMC readiness assessments for Levels 1, 2, and 3 and perform DIBCAC High (NIST 800-171) Assessments in partnership with the Defense Contractor Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under their Joint Surveillance audit program.

As the Firm has helped clients prepare for the CMMC program, several Frequently Asked Questions (FAQs) have emerged. Below, we share what we believe to be their best answers:

What Is CMMC?

CMMC is a major DoD program aimed at securing the DIB supply chain by increasing the protection of controlled unclassified information (CUI) and Federal Contract Information (FCI) within the DIB. The CMMC program framework is based largely upon the National Institute of Standards and Technology (“NIST”) SP 800-171 and SP 800-172 standards and consists of three levels of maturity, which can require an independent third-party certification by an accredited organization.

Why Is CMMC Important?

The CMMC program is designed to enforce the protection of sensitive, unclassified information shared within the DIB. The framework, as announced by the DoD in November 2021, is intended to:

  • Safeguard sensitive information to enable and protect the warfighter
  • Enforce DIB cybersecurity standards to meet evolving threats
  • Ensure accountability while minimizing barriers to compliance with DoD requirements
  • Perpetuate a collaborative culture of cybersecurity and cyber resilience
  • Maintain public trust through high professional and ethical standards

Who Does CMMC Apply To?

All DoD prime contractors and subcontractors that plan to bid on contracts with the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7021, or the “CMMC Clause,” will be required to obtain a CMMC certification prior to contract award.

It is also widely anticipated that CMMC will eventually extend past DoD contractors to include civilian agencies as well.

What Are the CMMC Requirements?

The CMMC program framework consists of three levels. Companies at Level 1 and a subsection of companies at Level 2 will only be required to demonstrate compliance through annual self-assessments. Triennial third-party assessments at Level 2 for prioritized acquisitions will be required for critical national security information, while triennial government-led assessments will be required at Level 3.

How Many CMMC Levels Are There?

The CMMC framework consists of three organizational maturity levels and can require an independent third-party certification by an accredited organization. The three levels include:

  • CMMC Level 1 – Basic safeguarding of Federal Contract Information (FCI)
  • CMMC Level 2 – (Previous CMMC 1.0 Level 3) Protecting CUI
  • CMMC Level 3 – (Previous CMMC 1.0 Level 4 and 5) Protecting CUI and reducing risk of advanced Persistent Threats (APT)

What CMMC 2.0 Level Do I Need?

DoD prime contractors and subcontractors that handle Federal Contract Information (FCI) will be required to demonstrate Level 1 compliance through annual self-assessments.

DoD prime contractors and subcontractors that handle controlled unclassified information (CUI) for prioritized acquisitions will be required to meet Level 2 compliance. This will require triennial third-party assessments by an authorized C3PAO by The Cyber AB.

DoD prime contractors and subcontractors managing CUI within DoD’s highest priority programs will be required to meet Level 3 compliance. CMMC Level 3 requires a CMMC Level 2 Final Certification plus a CMMC Level 3 Government-Led Assessment based on 24 practices aligned with NIST SP 800-172.

The level of certification required will be specified within the DoD solicitation. Questions about the CMMC Level required by the solicitation should be directed to the contracting officer. Prime contractors are required to flow down CMMC requirements to their subcontractors within the subcontract. For example, if the subcontractor will be handling FCI data as part of the subcontract, then the prime is required to flow down CMMC Level 1 requirements. Likewise, if the subcontractor will be handling CUI data as part of the subcontract, then the prime is required to flow down CMMC Level 2 or 3 requirements. Questions about the CMMC Level required for subcontracts should be directed to the prime contracting officer.

How Do I Prepare for CMMC Certification?

Preparation is the key to success. Companies should begin to prepare for a CMMC assessment now by assessing their readiness to achieve the appropriate CMMC Level.

The main areas companies should focus on to ready for a CMMC assessment include:

  1. Identify the correct CMMC Level of certification required.
  2. Identify and document the assessment scope based on the CMMC Level 1, 2 or 3 Scoping Guidance. The scope should clearly define the system boundaries and asset categorization, including any out-of-scope assets.
  3. Complete a gap analysis against the CMMC Level 1, 2 or Assessment Guides. The gap analysis is key to determining compliance with the applicable CMMC Level. The gap analysis will assess a contractor’s current state of compliance and identify gaps that the company will need to remediate prior to their assessment. Also, a gap analysis will help companies successfully ready themselves by identifying key team member roles and responsibilities and what will be considered as adequate evidence requirements by the assessor. This can be done by reviewing the employees who will be classed as the control owners, inquiring with the control owners to ascertain their understanding of the requirement, and then testing the control requirements according to the CMMC Assessment Guide.
  4. Addressing identified gaps from the gap analysis. Recommendations would be provided so that the OSC can adequately remediate identified gaps. The contractor may need to address gaps associated with technical configurations or within their internal documentation. It is likely the OSC will need to update its System Security Plan to address the additional requirements from the proposed rule.

Because the rigid requirements mean preparing for CMMC may take longer than many businesses realize, it’s essential that they undertake the whole cycle with real rigor. This isn’t a process where most organizations can see a contract hit the streets and quickly prepare and obtain the necessary certification in order to potentially be awarded within 30 to 60 days.

Companies may underestimate the time and resources required to prepare. Best estimates are that the majority of companies should allow at least six months of preparation time—also accepting that there will be a spectrum. The proposed rule has additional requirements that were not part of the DFARS 252.204-7012, which is the standard that contractors handling CUI data as part of a DoD contract have had to comply with since December 31, 2017. For example, the proposed rule and applicable scoping guides introduced the asset category Security Protection Assets (SPA), which are assets that provide security functions or capabilities to the contractor’s CMMC Assessment Scope. This category includes people, technology and facilities, such as managed service provider personnel who perform system maintenance, cloud-based security solutions, hosted VPN services, SIEM solutions, co-located data centers, security operations centers (SOCs), contractor office buildings, etc. SPAs are part of the assessment scope and are required to conform to applicable CMMC practices, regardless of their physical or logical placement. This has significant ramifications for OSCs and may require them to reengineer their architecture that was previously compliant with DFARS 252,204-7012.

When Will CMMC 2.0 Compliance Be Required for DoD Contracts?

The rule may be implemented as early as March 2025 once the Title 48 acquisition rule is final. The table below outlines DoD’s four implementation phases.

Phase Summary Timeline
Phase 1
  • DoD intends to include CMMC Level 1 or CMMC Level 2 Self-Assessments for all applicable DoD solicitations and contracts as a condition of contract award.
  • The DoD may include:
    • CMMC Level 1 or CMMC Level 2 Self-Assessments for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date of DFARS 7021.
    • CMMC Level 2 Certification Assessment in place of CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts.
 Begins on the effective date of the CMMC revision to DFARS 7021.
Phase 2
  • The DoD intends to include CMMC Level 2 Certification Assessment (requires a C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award.
  • The DoD may:
    • Delay the inclusion of CMMC Level 2 Certification Assessment to an option period instead of as a condition of contract award.
    • Include CMMC Level 3 Certification Assessment for applicable DoD solicitations and contracts.
 Begins six months following the start date of Phase 1.
Phase 3
  • CMMC Level 2 Certification Assessment (requires a C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded prior to the effective date of DFARS 7021.
  • CMMC Level 3 Certification Assessment requirements included for all applicable DoD solicitations and contracts as a condition of contract award.
 Begins one calendar year following the start of Phase 2.
Phase 4
  • Full Implementation.
  • The DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.
 Begins one calendar year following the start date of Phase 3.

What Is the Cost Allocation for CMMC?

The proposed rule makes it clear that any costs associated with implementing the NIST 800-171 requirements should already be incurred through complying with DFARS 252.204-7012. Where there are additional requirements from DFARS 252.204-7012 specified in the proposed rule, contractors may expense the costs to comply with the additional requirements as allowable. For example, the rule requires certain contractors handling CUI to have a Level 2 Certification Assessment, which is a new requirement that has not been a part of previous rulings. Contractors should be able to expense assessment costs as allowable. Furthermore, the rule notes that other cost burdens, such as self-assessments or the annual affirmation upload to SPRS, will be included in the Title 48 acquisition rule.

Is CMMC Certification Available?

The certification process for OSCs has not begun. Contractors with current DoD contracts may be eligible for the Joint Surveillance audit program. As an authorized C3PAO, Cherry Bekaert partners with the Defense Contractor Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under their Joint Surveillance audit program to perform DIBCAC High NIST 800-171 Assessment, which is convertible to CMMC Level 2 Certification when the rule becomes final if a perfect score is obtained.

Having undergone Level 2 assessment from the DCMA DIBCAC as a Firm, Cherry Bekaert has a deep understanding of the assessment process to guide DoD contractors seeking a CMMC assessment.

Contact Us

If you have any questions regarding CMMC, Cherry Bekaert’s Information Assurance & Cybersecurity and Government Contracting advisors are available to discuss your situation with you.

Questions? Contact Us

Catch Up on Cherry’s Bekaert’s Previous Guidance Pertaining to CMMC 2.0: