CMMC 2.0 Framework

Chris Swagler | August 2nd, 2024

 

Cybersecurity frameworks and standards are crucial for organizations because they provide a structured approach to managing and mitigating cyber risks. They help establish consistency, reliability, and compliance across industries, serving to protect sensitive information from cyber threats. Adopting such measures can build trust with clients and government entities, facilitate smoother operations, and provide a competitive advantage for compliant businesses.

Ultimately, many frameworks help organizations better navigate the complex cybersecurity landscape, which helps reduce vulnerabilities and minimize business disruptions. Adhering to a vetted framework not only reduces the likelihood of ransomware attacks, but it also addresses mission critical systems failures causing unnecessary downtime. All this aids in improving overall security posture and cyber resilience and protects corporate image while safeguarding sensitive client data.

One such framework is colloquially known as CMMC: the Cybersecurity Maturity Model Certification is developed by the U.S. Department of Defense (DoD) to enhance and standardize cybersecurity practices across the Defense Industrial Base (DIB). CMMC requirements apply to those in the DIB handling sensitive unclassified information shared by the US DoD.

The stated goal of the CMMC is to help ensure that contractors and subcontractors within the DIB meet specific cybersecurity requirements to protect sensitive information from potential threats. Any organization that does business with the DoD is expected to comply with minimal cybersecurity standards outlined in the CMMC program, which categorize defense contractors for project selection or non-selection.

The revised CMMC framework is aligned to additional standards, namely NIST 800-171 and 800-172, which will be examined in more detail later. Furthermore, updated CMMC standards (2.0) will not be finalized and published until Q1 of 20251, according to numerous estimates, so accessing the specific details of version 2.0 is limited as it is an in-progress development2.

The Purpose and Importance of CMMC 2.0

With cybersecurity risks growing in their scope, impact, and cost in terms of financial and data loss, it continues to be important for all entities—government and civilian, corporate and non-profit—to enhance their overall cyber maturity. CMMC is one of many frameworks attempting to articulate how this can be done.

What are the goals of CMMC 2.0?

Protecting Sensitive Information: It seems inarguable that safeguarding sensitive government information, which necessarily includes personal data of citizens, is an imperative for which it is difficult to overstate the importance of implementing a cybersecurity framework. Given the threat of state-sponsored cyberattacks (VOA3, Reuters4, The Verge5) against the United States, which are nothing new, government agencies and businesses alike are working vigilantly to protect sensitive information and proprietary data that threat actors seek to steal for use in their own economies. Unfortunately, however, as more and more data are hosted in cloud environments, the likelihood of a catastrophic incident replete with data theft increases.

As part of their digital evolution, public organizations—governments and their contractors included—are quickly increasing the complexity in how and where the data are stored and who is assisting in this management. According to the Nutanix Cloud Index Report for the Global Public Sector, public entities are outpacing all other sectors with the adoption of “multiple IT environments” to house and manage its data: the former will be at 87% in the next 1-3 years with the latter at 73%6.  On one hand, government-held data are in diverse environments with multiple stewards and fail-safes while, on the other, the greater the locations of data—whether on or off premises—the more potential points of failure and vulnerabilities exist.

Standardization: CMMC 2.0 creates a unified standard for cybersecurity across all DoD contracts, reducing variability, and improving overall security. For organizations seeking to work with the federal government in any capacity, the cybersecurity requirements are well-detailed and transparent.

Compliance: Contractors must achieve the required CMMC level to be eligible for DoD contracts, making it a critical requirement for doing business with the DoD. Unfortunately, compliance does not equal total security.

What’s New that Requires a Version 2.0

The transition of the CMMC framework from 5 to 3 tiers attempts to simplify the compliance process for businesses by streamlining requirements, reducing complexity, and lowering associated costs. With fewer tiers, businesses can, in principle, more clearly understand and meet the enumerated standards, making compliance more accessible for organizations of all sizes. This reduction in complexity also translates into cost efficiency, as it lowers auditing and certification expenses for those not seeking top tier certification. Furthermore, businesses can better focus their resources on meeting essential cybersecurity requirements, thereby enhancing their overall security posture.

As for qualifying standards: Tier 1 requires organizations to self-assess and self-certify adherence; Tier 2 contractors must complete annual third-party affirmation and triennial assessment; Tier 3 contractors must undergo a triennial government-led assessment.

cmmc model structure

(Image Source: https://dodcio.defense.gov/CMMC/About/)

As previously mentioned, these streamlined standards are aligned with the NIST (National Institute of Standards and technology) cybersecurity framework, specifically SP 800-171 and SP 800-172. The former speaks to “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations7” and the latter to “Enhanced Security Requirements for Protecting Controlled Unclassified Information8”.

An additional reason for the framework upgrade is that version 1.0 was released in 2020, a veritable lifetime ago in technological terms. In 4 short years, the cyber landscape has evolved dramatically. On a global scale, there has been a massive data migration to the cloud from local servers. This has occurred for businesses and governments alike. Cloud storage is big business; doing it yourself is complex, labor intensive, and expensive, so those who specialize in data storage and defense are sought for these valuable services.

Beyond this, numerous significant cyberattacks have taken place since 2020 that necessitate changes based on lessons learned: SolarWinds reminded organizations that enhanced vigilance and stronger supply chain are necessary9; the Kaseya breach clarified the need for robust incident response plans and third-party vendor vetting10; the Microsoft Exchange breach reiterated that proactive vulnerability patching and continuous monitoring are essential for robust security11. And, in that same span of time, cyberattacks have more than doubled, according to an International Monetary Fund review12.

If CMMC is going to establish itself as a standard for certain job types or industries, it makes sense to update it regularly. 

Specific Impact on the Construction Industry

CMMC 2.0 will significantly impact construction organizations by requiring compliance with specific cybersecurity standards to bid on or participate with DoD contracts. This involves implementing necessary cybersecurity practices, performing specified assessments, and ensuring supply chain security. While simplifying some requirements, it will still necessitate resource allocation for compliance efforts. Achieving certification can provide a competitive advantage but will require ongoing commitment to cybersecurity resilience.

The best way for construction firms to prepare, according to Trey Warman, North American Industry Practice Director, AVP Federal Government Contractors, Tech & Manufacturing, is three-fold: “One, assign an executive to take ownership on CMMC preparation and two, follow the DoD’s CIO website preparation tips13. Additionally, construction organizations must find a trusted MSSP [Managed Security Service Provider] and cyber risk engineer with a specialized cyber insurer with a federal government contracting practice.”

There are plenty of detractors claiming the CMMC model should be scrapped because it is too bureaucratic, unresponsive to evolving threats, and expensive, particularly for small and medium-sized businesses. To this concern, Warman reminds organizations, “whether we like it or not, CMMC is coming. Even small businesses must be prepared and doing so is beneficial as the cost of malware and cyber extortion, as well as unintentional disclosure of sensitive unclassified information (CUI), is vast.”

The implementation of CMMC 2.0 represents a critical step towards bolstering cybersecurity across the Defense Industrial Base. As threats continue to evolve, adherence to these standards will help organizations protect sensitive information but also provide a competitive edge for compliant organizations, ensuring a more secure and resilient defense ecosystem.

Sources

  1. Spencer, Patrick. “CMMC Roadmap: Your Ultimate Guide for CMMC 2.0 Compliance.” Kiteworks | Your Private Content Network, 2 July 2024, https://www.kiteworks.com/cmmc-compliance/a-roadmap-for-cmmc-2-0-compliance-for-dod-contractors/.
  2. CMMC Documentation. https://dodcio.defense.gov/CMMC/Documentation/.
  3. Seldin, Jeff. “FBI Calls out China for Making Critical Infrastructure ‘fair Game’ for Cyber Operations.” Voice of America, 18 Apr. 2024, https://www.voanews.com/a/fbi-calls-out-china-for-making-critical-infrastructure-fair-game-for-cyber-operations-/7576013.html.
  4. Satter, Raphael. “US Warns Hackers Are Carrying out Attacks on Water Systems.” Reuters, 20 Mar. 2024. reuters.com, https://www.reuters.com/technology/cybersecurity/us-warns-that-hackers-are-carrying-out-disruptive-attacks-water-systems-2024-03-20/.
  5. Roth, Emma. “Feds Charge Iranian Nationals for Cyberattacks against US Government.” The Verge, 24 Apr. 2024, https://www.theverge.com/2024/4/24/24139160/doj-iranian-nationals-cyberattack-charge.
  6. Nutanix. “Nutanix Enterprise Cloud Index Report: Global Public Sector.” https://www.nutanix.com/viewer?null.
  7. Ross, Ron. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST SP 800-171r3, National Institute of Standards and Technology, 2024, p. NIST SP 800-171r3. org (Crossref), https://doi.org/10.6028/NIST.SP.800-171r3.
  8. Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. NIST Special Publication (SP) 800-172, National Institute of Standards and Technology, 2 Feb. 2021. csrc.nist.gov, https://doi.org/10.6028/NIST.SP.800-172.
  9. Goswami, Rohan. “SEC Sues SolarWinds over Massive Cyberattack, Alleging Fraud and Weak Controls.” CNBC, 31 Oct. 2023, https://www.cnbc.com/2023/10/31/solarwinds-defrauded-investors-about-cybersecurity-sec-alleges.html.
  10. Menn, Joseph. “Kaseya Ransomware Attack Sets off Race to Hack Service Providers -Researchers.” Reuters, 3 Aug. 2021. reuters.com, https://www.reuters.com/technology/kaseya-ransomware-attack-sets-off-race-hack-service-providers-researchers-2021-08-03/.
  11. Brodsky, Sascha. “US Government Blames 2023 Exchange Breach on ‘Preventable’ Security Failures by Microsoft.” CSO Online, https://www.csoonline.com/article/2079967/us-government-blames-2023-exchange-breach-on-preventable-security-failures-by-microsoft.html.
  12. Natalucci, Fabio, and et. al. Rising Cyber Threats Pose Serious Concerns for Financial Stability. International Monetary Fund (IMF), 9 Apr. 2024, www.imf.org/en/Blogs/Articles/2024/04/09/rising-cyber-threats-pose-serious-concerns-for-financial-stability#:~:text=Cyberattacks%20have%20more%20than%20doubled,experienced%20a%20much%20heavier%20toll.
  13. CMMC Implementation. https://dodcio.defense.gov/CMMC/Implementation/.

Categories

Connect With Us

Featured Articles

EDR Silencers
Responding to the Exigent Emergence of EDR Silencers
06 December 2024
Illusion of Invulnerability
How the Illusion of Invulnerability Can Elevate Business Risk
22 November 2024
Critical Role of Annual Assessments
The Critical Role of Annual Assessments for Preventative Cyber Care
11 November 2024
Cybersecurity Measures
Enhancing Cybersecurity Measures for Business Continuity
29 October 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

inside the soc

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
shadowspear platform

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
shadowspear demo

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.