solider on computer with mask

Cybersecurity incidences continue impacting consumers and entities worldwide. The impact of a single incident can be profound. Although people often focus on their personally identifiable information (PII) being stolen and the impact this would have on their life, if specific information related to the Department of Defense (DoD) got into the wrong hands, the impact on all of us would be considerable. The cybersecurity requirements for the DoD are pretty elaborate since the security measures must address the information held by DoD and the Defense Industrial Base (DIB).

Therefore, CMMC (Cybersecurity Model Maturity Certification) framework was released to help DoD contractors protect the Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). After the DoD established compelling evidence that the contractors didn't have sufficient compliance with the pre-existing cybersecurity self-certifications because of the rise and sophistication of cyber threats, it announced CMMC 2.0 on 4th November 2021. Are you a manager dealing with CUI or working in the DIB? Read on to find all you need to understand about CMMC 2.0.

Streamlining CUI Security with CMMC 2.0

CMMC 2.0 is overseen by the OUSD(A&S). You can find its information on various resources, including the OUSD(A&S) website and the Department of Defense news brief. From the available information, there are two primary considerations for the contractors in the DIB:

  • How do the core components of CMMC 2.0 differ from those of the previous version?
  • How assessment and implementation requirements procedures will differ

We'll address these primary considerations, comparatively looking at the previous version of CMMC to inform the mapping or implementation procedure your corporation needs to initiate.

CMMC 2.0 Core Components, Assessment, and Implementation

Previously, non-federal organizations followed the NIST 800-171 model. It specified 110 controls to be implemented and documented by a CUI System Security Plan (SSP). CUI SSP detailed how people, IT systems, and physical facilities protected the Controlled Unclassified Information.

CMMC 2.0 also draws heavily from NIST 800-171. Unlike CMMC 1.0, which comprised five levels, CMMC 2.0 has three levels; foundational, advanced, and expert. In the foundational level (level 1), the DoD contractors must comply with the seventeen "basic cyber hygiene" NIST SP 800-171 security measures. In the advanced level (level 2), the contractor must adhere to all 110 security controls of the NIST 800-171.

Though still under finalization by the Department of Defense, it is expected that besides following the 110 security controls from NIST 800-171, the expert level (level 3) will also incorporate the 35 enhanced security measures under NIST 800-172. There are three types of assessments that your company may undergo, based on the level of your CMMC certification; Self, Third Party, or government assessment.


DoD views the foundational level as an opportunity for engaging the contractor in strengthening and developing how they approach cybersecurity. Since this level doesn't involve critical or sensitive national security information, the Department of Defense fully intends to use the foundational level to give a chance to contractors to assess their cybersecurity and start adopting practices that will prevent cyber-attacks. The case is similar for a section of level 2 programs that don't involve critical information to national security.

With CMMC 2.0, you are required to perform a self-assessment annually. As the manager, you are also supposed to affirm your company meets all the requirements of your CMMC 2.0 certification level.

Third-Party Assessments

After implementing CMMC 2.0, you'll be required to be assessed by a third party. According to David McKeown, Deputy DoD CIO, it looks like almost all corporations are clear defense contractors or have some critical industry tie. This means that pretty much all DOD contractors will end up handling critical Controlled Unclassified Information. Therefore, all the 80000 contractors will need a CMMC 2.0 Level 2 assessment. This includes third party-assessment.

McKeown also said that the Department of defense is working closely with CMMC Accreditation Body that accredits all CMMC Assessors and Instructors Certification Organizations (CAICO) and CMMC third-party assessment organizations (C3PAOs) to finish the assessment ecosystem.

However, the responsibility to obtain the necessary assessment and certification falls under your corporation, including the planning and coordinating of the CMMC assessment. The C3PAO will later send the assessment report to the Department of Defense upon completing the CMMC assessment.

Government Assessments

The DoD intends government officials to assess the CMMC 2.0 Expert Level (level 3) cybersecurity requirements. However, the assessment requirements are still under development.

If you identify any weakness in the 110 security controls in your corporation, CMMC 2.0 requires you to address it in a comprehensive POA&M (the Plan of Action & Milestones), specifying all the deficiencies and a timeline for remediation. Based on how effective the CUI SSP is, you must calculate a score using the Department of Defense Assessment Methodology.

Every entity score can then be tracked in the Federal SPRS (Supplier Performance Risk System) database alongside entity-specific information like C-suite attestation. The government contracting officer validates whether the SPRS scores were provided as part of the competition process for the DoD contract. The scores are generally needed whether you are a prime contractor or a subcontractor. Since December 2017, meeting the NIST 800-171 has been a requirement in most government contracts.

Management Team Considerations

Assuming that being a subcontractor or a prime contractor in the DIB is a part of your corporation's business strategy, as a manager, you should address the following;

Conducting Business with The Department of Defense

  • Plan for CMMC and Cybersecurity. Ensure that you give due consideration to the indirect costs that your entity might incur in completing proposals according to the guidelines of the IAW Defense Contract Management Agency
  • Identify the near-term or pending services or products your corporation might need to contract with the DoD.
  • Make a summary of the products and/or services you presently supply to the Department of Defense.

Understanding the Compliance Requirements

  • Has the corporation identified Controlled Unclassified Information referenced in your contract and DD Form 254; the Contract Security Classification Specification.
  • Consider the status of your company's CUI SSP. Are the deficiencies & corrective measures under the Plan of Actions & Milestones achieved on a timely basis?
  • Identify the stakeholders in cybersecurity external to IT like human resources, one C-suite leader, facility security, and contracting officers.
  • Ask your government contracting officer whether there are new cybersecurity clauses under consideration for contract modification or inserted in option-year DoD contracts.

Take the Required Steps to Attain the Business Goals

  • Regularly monitor your organization's compliance with DoD contractual requirements like NIST 800-171.
  • Whenever new terms and conditions arise, review them to understand the scope of the compliance program.
  • Review your resource requirements to meet your objectives
  • Conduct annual reviews of the enterprise processes, policies, plans, and procedures implementing the CUI security. This helps you coordinate the expanding Controlled Unclassified Information protection efforts between various stakeholders and departments.

Can you take other proactive measures to improve the probability of succeeding in your bid process? Then you should consider them.

The responsibility of ensuring the cybersecurity within a corporation having several clauses inserted in their contracts solely lies under the management team. As a manager, you hire the staff and provide them with the necessary information on what cybersecurity measures they should help the corporation attain. Therefore, you must understand the measures like CMMC 2.0 if you work under the DIB. Is the task overwhelming to you? You can enlist the help of MSSPs and MSPs. Fortunately, we at Cleared Systems are ready to help. Reach out to us today for more information.

Ways We Can Help You

Contact us to receive assistance in navigating cybersecurity risks and information compliance for your company. Here are some additional ways we can help:

  • Schedule a free discovery session with us during which we can learn about your company, answer your questions, and assist you in determining if Cleared Systems is the right fit for you.

  • Register for our upcoming cybersecurity and information compliance training.

  • Purchase our books on CMMC 2.0, CUI, Data Breaches, and ITAR.

  • Join our weekly free webinar sessions to ask questions and learn about the latest developments in cybersecurity and information compliance.

Author Profile

Carl B. Johnson, President of Cleared Systems, is a highly experienced and a ITAR, CMMC 2.0, Microsoft GCC High, and Microsoft DLP/AIP consultant. With over twenty years of experience in information assurance, cybersecurity, policy development, risk management, and regulatory compliance, he brings a wealth of knowledge and expertise to his clients.

Leave a Reply

Your email address will not be published. Required fields are marked *


Have questions about compliance or cybersecurity?

Schedule a free call with our experts now and get your questions answered!