Published by the Department of Defense (DoD),  the final rule for the Cybersecurity Maturity Model Certification (CMMC) program was released on October 14, 2024. This new rule took effect on December 16, 2024.

The DoD launched the CMMC initiative to improve data protection in the Defense Industrial Base (DIB). The following are the two categories of data that CMMC is concerned with protecting:

  • Controlled Unclassified Information (CUI) is information produced or acquired by the U.S. government or by another entity for or on behalf of the government that calls for safeguarding, or distribution controls in line with applicable laws, regulations, and government-wide policies.
  • Federal Contract Information (FCI) is information not intended for public disclosure given by or produced for the government under contract to develop or supply a good or service.

We will discuss CMMC reforms, their effects on different organizations, and the available resources for managing these changes.

Understanding the CMMC Program Rule Changes

While still maintaining strong security standards for safeguarding CUI and FCI, these developments streamline the certification process, reduce costs, and give more flexibility. The reforms also seek to make compliance more easily available, especially for small and medium-sized companies, through self-assessment.

Phased Rollout

CMMC compliance will be introduced through a structured four-phase rollout over the course of three years. This approach is designed to give companies adequate time to familiarize themselves with and adopt the new, required practices. Below is the current plan:

  • Phase 1: Starting December 16, 2024, Level 1 and Level 2 self-certifications will be required as a condition of contract awards.
  • Phase 2: Six months after Phase 1, third-party assessments for Level 2 will be required for applicable DoD contracts.
  • Phase 3: A year after Phase 2, CMMC requirements will start appearing in new contracts and Level 2 certification requirements will extend to contracts awarded before December 16th of this year.
  • Phase 4: Full implementation across all applicable contracts is expected by mid-2028.

Simplified Assessment Levels

The new version also reduced the number of assessment levels from five to three, eliminating two transitional levels present in the previous version. With a goal of streamlining the compliance process for small and medium sized organizations by no longer requiring third-party assessments at each level. Below is a quick description of each level:

  • Level 1 (Foundational): Basic cybersecurity practices to protect FCI. Requires annual self-assessment, based on 17 practices.
  • Level 2 (Advanced): More advanced practices to protect CUI. Assessment through self-assessment or by a third-party, depending on contract requirements. Based on 110 practices.
  • Level 3 (Expert): Designed to protect CUI from advanced & persistent threats. Requires assessment by the DIB Cybersecurity Assessment Center. Based on the same 110 practices as Level 2, with some additional requirements.

Alignment with Federal Standards

This version more precisely matches federal guidelines. The last version featured criteria unrelated to NIST standards even though it included techniques from NIST SP 800-171. Based on the updated model:

  • Level 1 aligns with the requirements outlined in the Federal Acquisition Regulation (FAR) 52.204-21.
  • Level 2 directly corresponds to the controls specified in NIST SP 800-171, designed to protect Controlled Unclassified Information (CUI).
  • Level 3 is mapped to the advanced security measures of NIST SP 800-172, aimed at countering sophisticated threats.

Self & Third-Party Assessments

Under the new rule, self-assessments can be performed for all level 1 organizations and a small subset of level 2 organizations. The remaining Level 2 organizations will be required to hire a Certified Third-Party Assessor Organization (C3PAO) to conduct their assessment. C3PAOs are authorized by the CMMC Accreditation Board (CMMCAB) to conduct these third-party assessments. A list of C3PAO Candidates can be found here. Finally, all Level 3 organizations are required to conduct a DIB Cybersecurity Assessment Center led assessment.

A simplified framework now includes a rollout plan, a reduced number of assessment levels, alignment with federal standards such as NIST, and self-assessment options for some organizations.

The Impact of CMMC Changes

It is important to understand how these changes will affect different organizations, some businesses may remain unaffected until the start of Phase 3, while others may need to adapt to these changes much sooner. Understanding the effect that these changes may have on your specific business is critical for successful compliance.

Compliance Requirements

Program managers are responsible for determining the appropriate CMMC level based on these five factors. The guide below gives a brief overview for determining your assessment level and type:

  • Identify the type of information you handle or intend to handle: FCI, CUI, or critical national security information.
  • Assess your existing contract requirements: FAR 52,204-21 (Level 1), DFARS 252.204-7012 (Level 2), DFARS 252.204-7012 and Completion of a DIBCAC High Assessment (Level 3).

Level 2 organizations that handle information critical to national security are required to have a C3PAO assessment conducted, instead of conducting a self-assessment.

Benefits

Small and medium-sized organizations stand to benefit most from the introduction of self-assessments, as it minimizes the burden of relying on third-party assessments for compliance. Additionally, the planned rollout will benefit those already compliant with current CMMC standards, as these organizations do not have to transition until a later date.

Challenges & Scoping

One of the main challenges LBMC sees companies face is accurately identifying and categorizing CUI within their environment. It is critical for organizations to fully understand the scope of CUI and FCI to ensure that the necessary assets are in scope.

Smaller organizations may also struggle with assembling the resources required to implement and maintain cybersecurity practices to reach CMMC compliance, especially when transitioning from self-assessments to third-party assessments.

The detailed and stringent requirements at Level 2 and 3 can be overwhelming for business leaders, many of which struggle with creating a plan to tackle these compliance tasks. Organizations must implement 110 practices to protect CUI at Level 2, which requires significant effort and expertise.

Overall, these changes create a balance between the need to implement robust cybersecurity measures and the practicality of implementation for organizations of varying sizes.

Resources & Support

Tackling these challenges can seem overwhelming for many organizations striving to achieve CMMC compliance. There are numerous benefits in partnering with a third party like LBMC to assist you on your CMMC compliance journey.

Consulting Services

Professional consultants can offer expert guidance suited to your organization’s specific needs and circumstances. Assisting in understanding the implications of the CMMC rule changes, developing customized compliance roadmaps, and ensuring a smooth path to certification. LBMC can help define the scope of your assessment and assist in understanding where CUI exists within your unique environment. We also perform risk assessments and gap analyses which are crucial in identifying areas of improvement and creating remediation plans for areas of deficiency. Consultants can also help to streamline the compliance process, reduce the risk of non-compliance, and ensure that your organization meets all necessary standards.

Training Programs

An important factor in achieving and maintaining CMMC compliance is equipping employees with the proper training and providing them with the resources they need to understand their responsibilities. Third parties like LBMC can provide ongoing education to employees to keep them updated on the latest cybersecurity threats and compliance strategies.

In Conclusion

The CMMC 2.0 framework balances stringent cybersecurity measures with practical and realistic implementation steps, benefiting organizations of all sizes by making compliance more accessible and manageable.

The path to achieve CMMC compliance can be overwhelming, with many organizations unsure of where to begin. However, LBMC is here to help guide you through the complexities of these changes, ensuring a clear understanding of the process and providing tailored solutions to meet business-specific needs. Our expert team can assist in identifying the level of compliance, navigating the necessary requirements at that given level, breaking the path to compliance down into manageable tasks, and ensuring you’re on the path to successful compliance.

Contact LBMC today to learn more about how we can assist your organization in achieving CMMC compliance.

Content provided by LBMC Cybersecurity Consultant Austin Ferrier.

Privacy settings

Decide which cookies you want to allow. You can change these settings at any time. However, this can result in some functions no longer being available. For information on deleting the cookies, please consult your browser’s help function. Learn more about the cookies we use.

With the slider, you can enable or disable different types of cookies:

  • Block all cookies with personal data
  • Essentials
  • Functionality
  • Analytics
  • Advertising

This website will:

This website won\'t:

  • Remember which cookies group you accepted
  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected
  • Functionality: Remember social media settings
  • Functionality: Remember selected region and country
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions
  • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies.
  • Advertising: Gather personally identifiable information such as name and location
  • Remember your login details
  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected
  • Functionality: Remember social media settings
  • Functionality: Remember selected region and country
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions
  • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies.
  • Advertising: Gather personally identifiable information such as name and location
Save & Close