In November 2021, the Office of the Under Secretary of Defense for Acquisition and Sustainment in the United States Department of Defense (DoD) released v2.0 of the Cybersecurity Maturity Model Certification (CMMC), a comprehensive framework designed to protect the defense industrial base from increasingly frequent and complex cyberattacks. Version 2.0 simplifies the model by streamlining certification levels from five (5) to three (3), eliminating proprietary maturity layers, and adjusting assessment responsibilities. This post summarizes what’s new in v2.0, including how Prevalent can help simplify the CMMC assessment process.

What is CMMC?

CMMC is a U.S. federal government certification against cybersecurity and controlled unclassified information (CUI) handling best practices, with that certification eventually determining whether a company can be awarded a contract by the DoD. CMMC aims to ensure that our entire national defense supply chain (DIBS – defense industrial base suppliers) is secure and resilient.

What Are the CMMC Certification Levels?

All DoD suppliers will eventually be required to be certified at one of three levels, from Level 1 (Foundational) to Level 3 (Expert). This represents a change from version 1.0 that featured five certification levels. Version 2.0 certification levels are derived from the basic safeguarding requirements for Federal Contract Information (FCI) specified in Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for controlled unclassified information (CUI) specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2 per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 and additional controls from NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.

  • Level 1 – Self-assessment performed by the supplier against 17 controls. This level of certification is considered foundational and for suppliers managing FCI that is not critical to national security. This certification level is unchanged from version 1.0, originally announced in January 2020.
  • Level 2 – A more advanced level of certification performed by third-party auditors (known as C3PAOs, or certified third-party audit organizations) against an additional 110 controls in the NIST SP 800-171 standard. This level is considered for companies that have controlled unclassified information (CUI). In some cases organizations can perform a self-assessment at this level.
  • Level 3 – Considered an expert level for the highest-priority DoD suppliers, this level builds on Level 2 by adding a subset of NIST SP 800-172 controls on top. The federal government will conduct the audits for companies at this level.
CMMC Requirements in Detail
Please see the table below for a summary of CMMC requirements by level, organized by NIST SP 800-171r2 Relevant Security Controls, that are included as built-in questionnaires in the Prevalent Platform. Information on Level 3 will be released by the US DoD at a later date and will contain a subset of the security requirements specified in NIST SP 800-172.

 

 

 

Access Control
**Level 1**

3.1.1 Authorized Access Control
3.1.2 Transaction & Function Control
3.1.20 External Connections
3.1.22 Control Public Information

 **Level 2**

3.1.3 Control CUI Flow
3.1.4 Separation of Duties
3.1.5 Least Privilege
3.1.6 Non-Privileged Account Use
3.1.7 Privileged Functions
3.1.8 Unsuccessful Logon Attempts
3.1.9 Privacy & Security Notices
3.1.10 Session Lock
3.1.11 Session Termination
3.1.12 Control Remote Access
3.1.13 Remote Access Configurability
3.1.14 Remote Access Routing
3.1.15 Privileged Remote Access
3.1.16 Wireless Access Authorization
3.1.17 Wireless Access Protection
3.1.18 Mobile Device Connection
3.1.19 Encrypt CUI on Mobile
3.1.21 Portable Storage Use
Awareness & Training
**Level 1**

N/A

 **Level 2**

3.2.1 Role-Based Risk Awareness
3.2.2 Roles-Based Training
3.2.3 Insider Threat Awareness

How to Perform CMMC Assessments for All Levels
Audit & Accountability
**Level 1**

N/A

 **Level 2**

3.3.1 System Auditing
3.3.2 User Accountability
3.3.3 Event Review
3.3.4 Audit Failure Alerting
3.3.5 Audit Correlation
3.3.6 Reduction & Reporting
3.3.7 Authoritative Time Source
3.3.8 Audit Protection
3.3.9 Audit Management
Configuration Management
**Level 1**

N/A

 **Level 2**

3.4.1 System Baselining
3.4.2 Security Configuration Enforcement
3.4.3 System Change Management
3.4.4 Security Impact Analysis
3.4.5 Access Restrictions for Change
3.4.6 Least Functionality
3.4.7 Nonessential Functionality
3.4.8 Application Execution Policy
3.4.9 User-Installed Software
Identification and Authentication
**Level 1**

3.5.1 Identification
3.5.2 Authentication

 **Level 2**

3.5.3 Multi-factor Authentication
3.5.4 Replay-Resistant Authentication
3.5.5 Identifier Reuse
3.5.6 Identifier Handling
3.5.7 Password Complexity
3.5.8 Password Re-use
3.5.9 Temporary Passwords
3.5.10 Cryptographically-Protected Passwords
3.5.11 Obscure Feedback
Incident Response
**Level 1**

N/A

 **Level 2**

3.6.1 Incident Handling
3.6.2 Incident Reporting
3.6.3 Incident Response Testing
Maintenance
**Level 1**

N/A

 **Level 2**

3.7.1 Perform Maintenance
3.7.2 System Maintenance Control
3.7.3 Equipment Sanitization
3.7.4 Media Inspection
3.7.5 Nonlocal Maintenance
3.7.6 Maintenance Personnel
Media Protection
**Level 1**

3.8.3 Media Disposal

 **Level 2**

3.8.1 Media Protection
3.8.2 Media Access
3.8.4 Media Markings
3.8.5 Media Accountability
3.8.6 Portable Storage Encryption
3.8.7 Removable Media
3.8.8 Shared Media
3.8.9 Protect Backups
Personnel Security
**Level 1**

N/A

 **Level 2**

3.9.1 Screen Individuals
3.9.2 Personnel Actions
Physical Protection
**Level 1**

3.10.1 Limit Physical Access
3.10.3 Escort Visitors
3.10.4 Physical Access Logs
3.10.5 Manage Physical Access

 **Level 2**

3.10.2 Monitor Facility
3.10.6 Alternative Work Sites
Risk Assessment Row 2, Column 2
**Level 1**

N/A

 **Level 2**

3.11.1 Risk Assessments
3.11.2 Vulnerability Scan
3.11.3 Vulnerability Remediation
Security Assessment
**Level 1**

N/A

 **Level 2**

3.12.1 Security Control Assessment
3.12.2 Plan of Action
3.12.3 Security Control Monitoring
3.12.4 System Security Plan
System and Communications Protection
**Level 1**

3.13.1 Boundary Protection
3.13.5 Public-Access System Separation

 **Level 2**

3.13.2 Security Engineering
3.13.3 Role Separation
3.13.4 Shared Resource Control
3.13.6 Network Communication by Exception
3.13.7 Split Tunneling
3.13.8 Data in Transit
3.13.9 Connections Termination
3.13.10 Key Management
3.13.11 CUI Encryption
3.13.12 Collaborative Device Control
3.13.13 Mobile Code
3.13.14 Voice over Internet Protocol
3.13.15 Communications Authenticity
3.13.16 Data at Rest
System and Information Integrity
**Level 1**

3.14.1 Flaw Remediation
3.14.2 Malicious Code Protection
3.14.4 Update Malicious Code Protection
3.14.5 System & File Scanning

 **Level 2**

3.14.3 Security Alerts & Advisories
3.14.6 Monitor Communications for Attacks
3.14.7 Identify Unauthorized Use

The Prevalent Third-Party Risk Management Platform has built-in questionnaires for Level 1 and Level 2, enabling suppliers to assess themselves and auditors to assess their clients against each level. When Level 3 certification requirements have been published, Prevalent will add the appropriate questionnaire to the Platform.

C3PAOs can:

  • Invite clients into the Prevalent Platform to complete their standardized Level 2 control assessment in an easy-to-use, secure tenant
  • Automate chasing reminders to suppliers or clients to reduce the time required to complete assessments
  • Centralize supporting documents submitted as evidence of the presence of controls
  • View a single register of risks raised depending on how the client or supplier responds to the questions
  • Issue remediation recommendations for failed controls
  • Deliver customized reporting on the current level of compliance, demonstrating the risk-reducing impact of the application of future controls

Any DoD supplier can conduct a Level 1 or Level 2 self-assessment to:

  • Assess themselves against the 17 controls required to measure Level 1 compliance
  • Assess themselves against the 110 controls required to measure Level 2 compliance
  • Upload documentation and evidence to support answers to questions
  • Gain visibility into current compliance status
  • Leverage built-in remediation guidance to address shortcomings
  • Produce reporting to measure compliance for auditors

For more information on how Prevalent helps to secure the DoD supply chain, visit our CMMC compliance page, download our compliance white paper, or request a demo of the Prevalent Platform today.

 

Editor’s Note: This post was originally published on Prevalent.net. In October 2024, Mitratech acquired the AI-enabled third-party risk management, Prevalent. The content has since been updated to include information aligned with our product offerings, regulatory changes, and compliance.