CMMC 2.0 - What UK-Based Contractors Need to Know

Guest blog by Danielle Barbour, Director of Product Marketing at Kiteworks

UK-based contractors often represent a crucial link in the United States Department of Defense (DOD) supply chain. Because of this, it is imperative that they understand what CMMC, the Cybersecurity Maturity Model Certification program, is and what they need to do to ensure they become compliant.

CMMC is designed to reinforce the DOD’s supply chain and protect the information that enables its war fighters. And for good reason. The Defense Industrial Base (DIB) is “a target of more frequent and complex cyberattacks”. Therefore, in order to protect sensitive security information, the DOD has revitalised its CMMC program with cybersecurity standards designed to meet these evolving threats.

The initial vision and basic features of the CMMC programme was introduced in September 2020 through an interim rule to the DFARS in the Federal Register. It outlined a basic framework which included a tiered model, assessments, and implementation for contractors. Over the next year, the DOD collected feedback from cybersecurity and acquisition leaders within the DOD, as well as public comments, to help refine the policy.

This resulted in CMMC 2.0, the second iteration of the programme, which was released in 2021, and is due to be enforced in 2025.

CMMC 1.0 vs CMMC 2.0

Both CMMC 1.0 and 2.0 were designed to safeguard controlled unclassified information (CUI) and federal contract information (FCI) within the DIB.

CMMC is the framework that outlines the cybersecurity requirements against which the DOD will assess and certify contractors. Any organisation that doesn’t meet these requirements will be unable to work with the DOD from 2025 onwards.

Based on the feedback, CMMC 1.0 was replaced with CMMC 2.0 to achieve the following goals:

Reduce the cost of meeting CMMC requirements
Increase trust in the CMMC assessment ecosystem
Align CMMC requirements with other federal requirements and common standards

These updates streamlined the CMMC model, provided additional clarity, and reduced the regulatory burden to make it easier for contractors to comply with its requirements.

Main differences

Some of the main differences between CMMC 1.0 and 2.0 relate to maturity levels. CMMC 1.0 outlined five maturity levels, which has since been reduced to three under CMMC 2.0, removing levels 2 and 4. These are:

Level 1: Foundational remains unchanged. It requires an annual self-assessment that has attestation from a corporate executive. It also encompasses the FCI safeguarding requirements from FAR Clause 52.204-21.
Level 2: Advanced reorganised the previous Level 3 to align with the 14 domains that align with the families specified in NIST SP 800-171. It requires triennial third-party assessments for contractors that send, share, receive, and store critical national security information.
Level 3: Expert combines the previous Levels 4 and 5. It aims to align with NIST SP 800-172 and will require triennial government-led assessments but is still in development.

Then there is the differences in domain structures. The CMMC 2.0 domain structures are much more comprehensive than those outlined in the CMMC 1.0 model. These additional domains are more specific to the daily operations of contractors and aim to create greater assurance of asset security.

Finally, there is the fact that CMMC 2.0 has introduced third-party assessors for certifying that DIB supply chain contractors are meeting the required standards. C3PAOs will be responsible for evaluating and issuing certificates at Level 2.

How to Become CMMC 2.0 Compliant

Those currently working with or planning to work with the DOD must demonstrate compliance with CMMC 2.0 by 2025. Overall, compliance falls into 14 different domains, these are access control, audit and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, physical protection, personnel security, risk assessment, security assessment, system and communications protection, and system and information integrity.

First, organisations must determine which tier they fall under so they can act appropriately. Remember, that different levels of maturity will necessitate different actions for compliance. For example, if a bid or contract involves handling CUI, controlled technical information (CTI), or ITAR / export-controlled data, it will fall under the Level 2 criteria.

It is then important to conduct a risk self-assessment, review and leverage existing NIST frameworks, create a POA&M and SSP, select a C3PAO, set a timeline and budget, implement tailored security controls, establish an incident response plan, monitor security controls performance and identify issues, and document compliant actions.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more