By Chor-Ching Fan
As a DoD contractor or subcontractor, achieving compliance with the Cybersecurity Maturity Model Certification (CMMC) 2.0 is essential for securing and maintaining contracts with the Department of Defense (DoD). CMMC 2.0 is designed to protect sensitive unclassified information within the defense industrial base (DIB). It has been updated to reduce its framework from five levels to three. Here’s an overview of CMMC 2.0 and the timeline for its implementation.
What is CMMC 2.0?
CMMC 2.0 is a streamlined framework to ensure robust cybersecurity practices among DoD contractors. The updated version aligns closely with the NIST 800-171 control framework and includes three levels of compliance:
CMMC Level 1: Basic Cyber Hygiene
- Number of Controls: 15 controls
- Description: This level focuses on basic cybersecurity practices that are equivalent to the Federal Acquisition Regulation (FAR) 52.204-21 requirements. It is designed to protect Federal Contract Information (FCI).
CMMC Level 2: Intermediate Cyber Hygiene
- Number of Controls: 110 controls
- Description: This level aligns closely with the NIST SP 800-171 framework and includes more advanced cybersecurity practices. It is intended to protect Controlled Unclassified Information (CUI). Organizations must perform a self-assessment and possibly undergo third-party assessments depending on the information’s sensitivity and the contract requirements.
CMMC Level 3: Advanced Cyber Hygiene
- Number of Controls: 134 controls
- Description: This level includes all the controls from NIST SP 800-172, designed to protect highly sensitive information and reduce the risk of advanced persistent threats (APTs). It requires an even higher level of cybersecurity maturity and rigorous third-party assessments.
All DoD contractors must achieve at least Level 1 compliance to continue working with the DoD. The required level depends on the sensitivity of the information handled by the contractor.
Why CMMC 2.0 Matters
The introduction of CMMC underscores the DoD’s focus on enhancing the cybersecurity posture of its contractors. Compliance not only secures critical information but also positions contractors to win new contracts and maintain existing ones.
CMMC 2.0 Implementation Timeline
The implementation of CMMC 2.0 is being phased in over several years, with significant milestones along the way. Here’s a breakdown of the expected timeline:
- 2021: The DoD began incorporating CMMC requirements into select requests for information (RFIs) and requests for proposals (RFPs). These initial steps were designed to prepare contractors for the forthcoming changes.
- 2022-2024: The DoD will continue to integrate CMMC requirements into an increasing number of contracts. This gradual rollout allows contractors time to adjust and begin the necessary compliance measures.
- Q1 2025: The DoD aims to include CMMC requirements in all new contracts. This means that by the start of 2025, any new DoD contract will likely necessitate CMMC compliance.
While full implementation is expected by 2025, contractors should not wait to begin their compliance journey. Early preparation is crucial as proposals will increasingly be evaluated based on adherence to CMMC Level 2 practices.
Preparing for CMMC 2.0 with Rizkly
Achieving and maintaining CMMC compliance can be complex and resource-intensive, especially for SMBs without deep pockets and large IT departments. Rizkly offers a comprehensive solution to simplify this initiative through our CMMC compliance automation platform along with optional expert guidance services to help you stay on track.
Rizkly exceeds the DoD’s FedRAMP Moderate Equivalency certification requirement so you can be confident in using our secure automation application to help you stay on top of compliance efforts, track tasks, organize artifacts, and generate audit-ready documentation effortlessly. Using Rizkly, you can assign ownership of tasks, access compliance statuses, receive alerts for control reviews and evidence attachment—ensuring that nothing falls through the cracks. You can generate audit-ready documents, such as System Security Plans (SSP) and Incident Response Plans (IRP), with a single click. Rizkly reduces the time and effort needed for documentation, so that you can focus on implementing security measures. And, as needed, our CMMC experts are available to guide you through every step, from defining your system boundary to preparing for your CMMC 3PAO assessment. They provide you with a prioritized action plan and answer any questions you might have.
Conclusion
CMMC 2.0 compliance is not just a requirement but a competitive advantage in the defense contracting space. By understanding the framework and preparing early, small and mid-size defense contractors can position their organizations for success. Rizkly is here to support you every step of the way, ensuring you achieve and maintain the necessary CMMC compliance. Contact us today to learn more about how we can help you navigate the complexities of CMMC 2.0.