The defense contracting community has been talking about the Cybersecurity Maturity Model Certification (CMMC) for two years now with little being done around auditing and enforcement. Now, however, with the new and improved—even if still somewhat flawed—CMMC version 2.0 being released, it's finally time for contractors to start moving toward CMMC certification.
The updated version still requires a good deal of infrastructure changes that can be costly and complex, but it should now be clear that working toward CMMC compliance is a far better strategy than standing still and hoping it goes away. Because it’s not going away.
The first version of the CMMC was released in January 2020 but has not been widely implemented amid complaints about costs—particularly for small businesses—and questions about requirements surrounding the objectivity of the assessment process.
From its beginning, CMMC seeks to ensure the maturity level and readiness of contractors in the Defense Industrial Base (DIB) through a program of training, certification and third-party assessments, rather than relying on contractor self-assessments. The recently released CMMC 2.0 has adjusted the framework's guidelines and compressed the security requirements, reducing the levels of CMMC certification from five to three, while also requiring fewer security controls and self-assessments to make it simpler to achieve Level 1 certification.
The new version is still being finalized on how and when it will be audited and enforced, and the Department of Defense says it could be well into 2023 before CMMC 2.0 fully becomes a contracting requirement. But, it will apply to all new DOD contracts by Fiscal 2026 for both prime contractors and subcontractors, affecting all of the roughly 220,000 contractors in the DIB.
What CMMC Requires
CMMC is designed to protect federal contract information (FCI) and controlled unclassified information (CUI) across three levels of certification, based on a combination of self-assessments and third-party assessments:
- Level 1: The foundational level, covers FCI and, once CMMC is fully implemented, will require self-assessments on an annual basis.
- Level 2: Advanced, includes CUI and will require a combination of annual; self- and third-party assessments. Its requirements will be based on the National Institute of Standards and Technology’s SP 800-171 guidelines for protecting CUI.
- Level 3: Expert, covers enhanced requirements for CUI, based on a subset of NIST SP 800-172, and will require triennial third-party assessments.
CMMC applies to information on contractors' unclassified networks. If a contractor handles only FCI, it can stick to Level 1. But if it handles any CUI in addition to FCI, it must start at Level 2. The DOD has estimated that about 140,000 companies in the DIB will fall under Level 1, with about 80,000 starting at Level 2.
CMMC boils down to the need to start securing government FCI and, especially, CUI data everywhere it is being accessed and utilized, and to protect it correctly—notably by using validated FIPS 140-2 256-bit encryption. In order to implement CMMC efficiently and pass a CMMC audit, contractors must make sure they have addressed every endpoint, including mobile endpoints, with the right solutions to ensure that data is secured everywhere it flows.
To comply with CMMC, organizations must rely on a vendor that is FIPS 140-2 validated/certified—not just compliant. Full certification has proven to be a struggle that most vendors have not been able to achieve – limiting the options for viable solutions. Many smaller contractors also have had trouble marshaling the resources or budgets to research and invest in the appropriate tools and technology for CMMC compliance, another pain point that hinders their ability to accelerate compliance. This underscores the need for holistic solutions that address major components of CMMC, instead of investing in and deploying piecemeal solutions.
Steps To CMMC Compliance
Requirements and regulations aside, the simple truth is that continuing to rely on your current mobile security architecture, while threats and attacks become increasingly more sophisticated, makes you more vulnerable every day.
Mobile malware is proliferating at an alarming rate, and many organizations are sitting ducks for an attack because they have not secured their mobile landscape. If your employees use any kind of mobile device for work, whether personal or corporate-owned, Android or Apple, etc., it's imperative for more advanced mobile security measures to be put in place.
The answer for these organizations is a containerized approach that leverages 256-bit encryption but also prioritizes productivity. Yes, contractors need to be able to ensure that data being accessed or stored on mobile devices is secured to the rigors demanded by CMMC 2.0, but they also need easy access to the data needed to complete the work that the government expects them to do.
Data containerization, when done correctly, ensures data security to a degree that enables organizations to confidently allow greater data access through mobile devices – which ultimately improves productivity and cost savings. Additionally, it can also relieve organizations of the effort and costs of having to provide and manage mobile devices for every employee by allowing a secure approach for use of personal/bring your own device (BYOD) and simplified processes for corporate-owned devices.
Important considerations include access controls such as password management and multi-factor authentication, 256-bit encryption and the ability to wipe sensitive data, when necessary, without affecting personal data. Most importantly, it ensures compliance with CMMC 2.0 requirements, while also making meeting those requirements simpler and more affordable.
