CMMC 2.0 Is Important For The DIB, The U.S. Military, and Tax Payers Like You And Me
Why does the CMMC exist?
The DoD created the CMMC (Cybersecurity Maturity Model Certification) on an aggressive timeline in response to the unacceptable rate of data breaches occurring in the DIB (Defense Industrial Base). Even before the DoD rolled out CMMC, DIB companies were required to self-attest that they were compliant with NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Defense contractors broadly claimed to meet these requirements. However, despite the self-attestations, CUI (Controlled Unclassified Information) was somehow finding its way into the hands of adversaries of The United States.
But how could this happen? Could defense contractors really be lying to the US government for profit? Would they really allow hundreds of billions of US tax dollars to directly fund the development of The United States’ adversaries’ militaries just so they didn’t have to fund their own cybersecurity programs? Unfortunately, yes. They were lying to the DoD, not complying with NIST SP 800-171, and allowing foreign adversaries to steal US military secrets. The list of projects that China is known to have stolen information related to, though not complete, includes the F-35 Fighter, F-15 Fighter, B-52 Bomber, the Aegis Combat System, the Patriot Missile system, the Delta IV Rocket, and even the Space Shuttle (Blair & Alexander, 2017).
Whether the DIB’s non-compliance was due to conscious disregard or negligence, their failure to properly secure sensitive information led to the loss of intellectual property and information about military hardware at a previously unheard-of scale. The DoD performed “spot checks” on select companies in the DIB to see if the self-attestations were sound. Their findings led them to conclude that they had to step in and enforce compliance on the DIB (Columbo, 2021). Enter CMMC.
Key differences Between Tiers of CMMC 1.0 and CMMC 2.0
CMMC 1.0, the current iteration of the model, is split into 5 tiers of maturity ranging from tier 1, Basic, which allows certified organizations to handle FCI (federal contract information), to tier 5, Advanced, which allows certified organizations to handle CUI and information related to critical programs (DoD, 2024). CMMC 2.0, which will transition to a 3-tier system rather than a 5-tier system, is in the works and will be released in the near future, beginning in December 2024. In fact, preliminary versions have been published and are currently open for public comment. Below is a summary of the CMMC 1.0 tiers and the CMMC 2.0 tiers, what they are, and how they relate to one another.
Basic-Tier Compliance
CMMC 1.0 Tier 1
- Requires adoption of 17 security practices
- Requires triennial 3rd-party assessment for certification
- Allows handling FCI
CMMC 2.0 Tier 1
- Requires compliance with 15 security requirements
- Requires annual self-assessment and annual affirmation for certification
- Allows handling FCI
Intermediate-Tier Compliance
CMMC 1.0 Tier 2
- Requires adoption of 72 security practices & 3 maturity processes
- Does not require certification.
- This is a transition tier.
CMMC 2.0 does not include an intermediate transition tier.
Good-Tier Compliance
CMMC 1.0 Tier 3
- Requires adoption of 130 security practices and 3 processes
- Requires triennial 3rd-party assessment for certification
- Allows handling CUI
CMMC 2.0 Tier 2
- Requires compliance with 110 security requirements aligned with NIST SP 800-171
- Requires triennial 3rd-party assessment or triennial self-assessment (for certain programs) for certification
- Allows handling CUI
Proactive-Tier Compliance
CMMC 1.0 Tier 4
- Requires adoption of 156 security practices and 4 processes
- Does not require certification.
- This is a transition tier
CMMC 2.0 does not include a proactive transition tier.
Advance-Tier Compliance
CMMC 1.0 Tier 5
- Requires adoption of 172 security practices and 5 processes
- Requires triennial 3rd-party assessment for certification
- Allows handling CUI and critical programs
CMMC 2.0 Tier 3
- Requires compliance with 110+ security requirements aligned with NIST SP 800-171 and 800-172
- Requires triennial government-led assessment and annual affirmation
- Allows handling CUI and critical programs
The above information was sourced from the DoD (DoD, 2024) and shows that CMMC 2.0 will include some key differences from CMMC 1.0 including the removal of the transitional tiers. Additionally, while 2.0’s Basic tier now does not require any 3rd-party assessment, its Advanced tier certification will involve a government-led assessment rather than one conducted by a private certification organization.
At the end of the day, the CMMC is absolutely necessary to stop defense contractors from leaking FCI and CUI. It seems to already have had some effect on the rates of data theft coming from China, down from 26 incidents in 2020 to 16 incidents in 2022 according to The Center for Strategic and International Studies (CSIS, 2023), though the real cause of the decrease is difficult to pin down. As CMMC 2.0 is finalized, rolled out, and implemented across the DIB, it will be interesting to see how these numbers change.
If you liked this article, check out my next post on CMMC implementation and what is required for compliance
References
2024
- DoD | 2024
2023
- CSIS | 2023Survey of Chinese Espionage in the United States Since 20002023Center for Strategic and International Studies
2021
- Columbo | 2021
2017
- Blair, Alexander | 2017
Enjoy Reading This Article?
Here are some more articles you might like to read next: