CMMC 2.1 Explained: How is the Cybersecurity Maturity Model Certification Program Changing?

Find out how updated CMMC regulations impact security compliance for government agencies and their partners.

The Cybersecurity Maturity Model Certification (CMMC) is an important topic for organizations in the Defense Industrial Base. For more than 100,000 companies and subcontractors designing and manufacturing military equipment, the CMMC represents a core compliance requirement.

The CMMC traces its origin to 2010 when then-President Barack Obama signed Executive Order 13556. This order defines security protections for “controlled unclassified information” (CUI), establishing a set of cybersecurity principles for government agencies to follow.

This model had its share of problems. One of the biggest issues was its reliance on self-attestation. Organizations were largely left to interpret appropriate controls and security rules on their own. In 2019, the Department of Defense officially announced it was developing the CMMC 1.0 ruleset to address this issue. It was implemented the next year, providing organizations with a standardized process for implementing, scoring, and attesting NIST 800-171 and DFARS requirements.

 

What is the Cybersecurity Maturity Model Certification (CMMC) Program?

The CMMC program is a compliance framework that establishes standardized protections for sensitive but unclassified data used by defense contractors and related organizations. This assures the Department of Defense that its partners responsibly process, store, and communicate data in a secure way.


The original CMMC 1.0 framework included five maturity levels:

  1. Basic cyber hygiene

  2. Intermedia cyber hygiene

  3. Good cyber hygiene

  4. Proactive cyber hygiene

  5. Advanced and progressive cyber hygiene

These levels corresponded to the 110 controls listed in the NIST 800-171. All Department of Defense contractors had to demonstrate compliance with the first level or risk losing the government’s business.

As of November 2021, the CMMC 2.0 consolidated the original five levels of compliance into three. Now, the model looks like this:

  1. Foundational – Based on 15 basic requirements, compliance with annual self-assessments and affirmations.

  2. Advanced – Based on all 110 NIST 800-171 requirements, compliant with triennial third-party assessments and annual affirmations or triennial self-assessments with annual affirmations for certain programs.

  3. Expert – Based on 134 requirements from both NIST 800-171 and NIST 800-172, compliant with triennial government-led assessments with annual affirmations.


Additionally, the Department of Defense has expanded the scope of its CMMC requirements to go beyond prime contractors. In some cases, these requirements apply to fourth-level vendors. This can make achieving compliance incredibly complex for some organizations.

What are New CMMC 2.1 Requirements?

The most important thing for government contractors and their partners to know about CMMC 2.1 requirements is that CMMC certification is mostly based on the pre-existing NIST 800-171 framework. If your organization is NIST 800-171 compliant, it is also compliant with the CMMC requirements up to level two, at least.

As long as the underlying NIST 800-171 rules do not change, CMMC program compliance updates demand relatively minor changes to the organization’s security processes. Many of these changes have to do with the way organizations carry out and report self-assessments.


More than 100 of these changes focus on “organizationally defined parameters” (ODPs), which give organizations room to specify values relevant to their own security context. ODPs allow standardized frameworks like the CMMC to accommodate organization’s security needs despite differences in organizational size, complexity of systems, and other factors.


ODPs are not new. They have always been a part of the NIST 800-171 framework. Let’s look at an example from the CMMC 2.1 Level 2 rule 3.5.8 on password reuse:

  • IA.L2-3.5.8 Password Reuse: Prohibit password reuse for a specified number of generations.


Here, the CMMC rule tells organizations to implement controls that prevent users from reusing passwords across multiple accounts or resets. However, it doesn’t tell you exactly how many generations to specify. That value may change based on context. An organization might decide to enforce a strict ban on reused passwords for administrator accounts with access to mission-critical services. At the same time, it might consider looser controls on password reuse for non-critical accounts and applications.

The important thing is that it’s up to the organization – not the Department of Defense – to determine what the appropriate definition for that parameter is. NIST 800-171 doesn’t include any stipulation saying all organizations must adhere to a certain number of password generations in this context.

 The main thing that changes is the responsibility for specifying ODP values in a contextually relevant way and reporting those specifications as part of CMMC compliance. Organizations will have to implement rules that rely on ODP values and justify those rules in their compliance reports.

Other CMMC 2.1 Changes to Know About: Zero Trust

Other CMMC 2.1 changes include more stringent access control policies and a call for increased network segmentation. Organizations must manage data flows more securely and ensure they only send data to provisioned destinations that have security controls applied to them.

This underlines the need for Zero Trust Architecture for government agencies and their partners. Many of the NIST 800-171 controls that CMMC 2.1 focuses on fit under the umbrella of Zero Trust, which federal agencies must comply with by September 2024.

While there are many ways to interpret Zero Trust principles in action, one of the main characteristics federal security leaders are looking for is the ability to implement identity-based policies throughout the organization. Organizations that achieve CMMC 2.1 compliance will be better positioned to develop identity-based security controls and demonstrate Zero Trust processes.

Acheive CMMC 2.1 Compliance with Maverc

Maverc is a Florida-based managed security services vendor that helps organizations achieve security without boundaries. Government contractors and other organizations that need to maintain CMMC compliance rely on Maverc to audit their security capabilities, propose changes, and implement solutions to achieve compliance goals.


We can help your organization at any point in its compliance journey. Our experienced team of certified CMMC compliance consultants can create documentation, establish continuous monitoring controls, and prepare your team for its CMMC audit. 

Protect your organization against sophisticated emerging threats while reinforcing the value of important government contracts with our help.

Previous
Previous

JOIN US AT ICS MIAMI NOVEMBER 2nd- 3rd

Next
Next

Managing Cybersecurity Risk for Small Government Agencies: Double Extortion Explained