Earlier this month, the Department of Defense (DOD) released the new Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, along with the self-assessment guides for the new Levels 1 and 2, scoping guidance for all Levels, and other helpful tools for contractors seeking to perform self-assessments. Each of these documents is available on DOD’s CMMC website under the Documentation tab. Here are key highlights from DOD’s CMMC 2.0 Documentation for small and mid-sized defense contractors.
These documents signal some major departures from the CMMC 1.0 framework. For instance, the CMMC 1.0 framework contemplated that a contractor’s entire information technology (IT) system would be certified at a particular level. Many contractors were concerned that the cost of implementing CMMC requirements enterprise-wide would be prohibitively high, particularly at CMMC 1.0 Level 3 and above, and requested that DOD permit certification of particular “enclaves” that processed Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), which would be similar to the “enclaves” some cleared contractors might use to process classified information.
DOD appears to have heard those concerns and has more narrowly defined the scope of the assessments, so contractors will be able to create these “enclaves.” Specifically, any asset that does not store, process, or transmit FCI and / or CUI will generally fall outside the scope of a CMMC self-assessment (DOD has not yet released the third-party assessment guidance). Accordingly, for Level 1, contractors will be required to document only the assets that store, process, or transmit FCI and apply the CMMC 2.0 Level 1 requirements to those assets exclusively.
For Level 2, the documentation and assessment process is more involved, and contractors will be required to determine which of five categories their IT assets fall into before performing their self-assessments. Those five categories are: (1) CUI Assets, (2) Security Protection Assets, (3) Contractor Risk Managed Assets, (4) Specialized Assets, or (5) Out-of-Scope Assets.
While only the first two categories of assets will need to meet all the CMMC 2.0 Level 2 requirements, the third and fourth categories will still need to be accounted for in the contractor’s system security plan (SSP). However, contractors will not need to apply the CMMC self-assessment requirements to those assets. Contractors will also be required to keep any assets that do not and cannot store, process, or transmit CUI physically and logically separated from assets that can perform those functions. In similar fashion to the CMMC 2.0 Level 1 self-assessment, contractors will not be required to document or apply CMMC 2.0 self-assessment requirements to Out-of-Scope Assets and will not be required to address those assets in their SSPs. However, keeping track of and securing all IT assets remains an industry best practice.
Despite these major departures from CMMC 1.0, CMMC 2.0 does still retain many of CMMC 1.0’s hallmarks, as noted in our previous blog. For instance, CMMC 2.0 Level 1 still tracks to the requirements in Federal Acquisition Regulation 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. Similarly, CMMC 2.0 Level 2—formerly CMMC 1.0 Level 3—still tracks to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. However, instead of imposing additional requirements beyond those laid out in NIST SP 800-171, CMMC 2.0 Level 2 will require compliance with NIST SP 800-171 only. So, contractors who are performing the NIST SP 800-171 self-assessments DOD currently requires will be well positioned to complete their CMMC 2.0 Level 2 self-assessments.
In sum, DOD’s changes to the CMMC framework mean that CMMC will be easier for small and mid-sized businesses to attain. The narrowed scope of the assessments, coupled with the ability for many contractors to perform self-assessments, means that the CMMC process will be more streamlined and less expensive, while still protecting sensitive information.
If you have any questions regarding CMMC 2.0 or other recent developments in U.S. Government cybersecurity initiatives, please contact Anna Wright, the author of this client alert, or a member of PilieroMazza’s Cybersecurity and Data Privacy Team.