The Department of Defense (DoD) is one of the biggest expenses for the U.S. government, garnering a whopping $1.9 trillion budget for 2023. And the Defense Industrial Base Sector that supports these efforts comprises over 100,000 companies and subcontractors.
Unsurprisingly with such staggering numbers on the line, the DoD’s subcontractors are required to meet stringent compliance requirements, known as the Cybersecurity Maturity Model Certification (CMMC). CMMC encompasses multiple maturity levels, ranging from “Foundational” to “Expert.”
If your business has to comply with CMMC, you may be feeling overwhelmed, and wonder where to begin. Luckily, the framework is designed to be flexible enough for small and medium-sized enterprises (SMEs) to cooperate with the DoD, and it’s much more approachable with assistance from JumpCloud.
In this article, you’ll learn what the CMMC is, when you’ll be required to comply with it, and all about the three levels that make up CMMC 2.0. Then, we’ll show you how JumpCloud makes meeting CMMC requirements easy.
What Is Cybersecurity Maturity Model Certification (CMMC) 2.0?
The United States Department of Defense created the Cybersecurity Maturity Model Certification program in 2020 to improve national security by ensuring government information is protected while being shared with or used by defense contractors.
The security program in place for DoD subcontractors before CMMC, DFARS 252.204-7012, left designing and monitoring a cybersecurity program up to the subcontractors, with no required audits or assessments. CMMC tightens these requirements by implementing a third-party assessment-based certification model.
The certification helps Defense Industry contractors improve their companies’ security postures by requiring compliance with a stated framework of policies and procedures. The DoD released an updated CMMC 2.0 in July 2021 in an effort to further enforce security standards.
While there are various subcategories in each section depending on the level of certification, the CMMC 2.0 model recognizes 17 security capabilities:
- Access Control (AC), including internal and remote system access and limiting user access depending on their role
- Asset Management (AM), including the ability to identify and track all assets
- Audit and Accountability (AU), including creating audit requirements, routinely performing audits, and securely managing audit logs
- Awareness and Training (AT), including training employees on security
- Configuration Management (CM), including performing change management activities
- Identification and Authentication (IA), including providing user access only after they have been authenticated
- Incident Response (IR), including developing a plan, reporting events, and performing follow-ups
- Maintenance (MA), including having an established plan for device upkeep
- Media Protection (MP), including having plan to protect, control, and sanitize media during transport and while it’s in the contractor’s possession
- Personnel Security (PS), including screening personnel and protecting sensitive data from unauthorized personnel
- Physical Protection (PE), including limiting physical access to government information
- Recovery (RE), including implementing a plan to manage backups
- Risk Management (RM), including identifying risks and developing a plan to combat and manage them
- Security Assessment (CA), including creating a security plan and performing routine reviews
- Situational Awareness (SA), including implement threat monitoring plans or software
- System and Communications Protection (SC), including defining security requirements and controlling communications
- System and Information Integrity (SI), including identifying and managing any system flaws and regularly monitoring for vulnerabilities
Many of these capabilities can be achieved by creating security best practices and related processes. The CMMC includes 171 such practices in all, though the number of practices a contractor must demonstrate depends on the level of certification they need.
When Will CMMC Be Required?
CMMC 2.0 requires third-party assessments for all Level 3, and many Level 2 contractors. The DoD began adding level requirements to defense contractor Requests for Information (RFIs) at the highest security levels in 2021, and have increased the number of RFIs carrying these requirements every year since. When included, these requirements must be met in order for a contractor to be chosen for a project.
In FY 2023, the DoD expects to include CMMC requirements on 250 defense contracts, increasing to 325 in 2024, and 475 in 2025. By January 1, 2026, all contractors must achieve Level 1 certification, and by Fall 2026, all new contracts will include CMMC requirements.
CMMC 2.0 Levels
While the original CMMC had a five-tier model, 2.0 has just 3 levels: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Each level had its own required processes, practices, and assessments for a contractor to become and remain certified. The level a subcontractor must achieve depends on how sensitive the data they work with is.
CMMC 2.0 Level 1: Foundational
This level focuses on protecting Federal Contract Information (FCI), information provided by the government for a contracted product or service that isn’t intended for public release.
- What is required: Contractors must use 17 basic cybersecurity practices on an as-needed basis. Documented proof of compliance is not necessary at level 1.
- Who must comply: Any contractor that accesses or uses FCI will need to achieve Level 1 certification, (virtually all defense contractors).
- How are you assessed: Certification is achieved through a once yearly self-assessment.
The security practices required to achieve Foundational certification are practices many companies already observe — and if you don’t currently, you should.
CMMC 2.0 Level 2: Advanced
This level focuses on protecting Controlled Unclassified Information (CUI), government-owned information that requires safeguarding or dissemination controls.
- What is required: Contractors must observe the 110 practices associated with NIST SP 800-17. They must document a repeatable process to observe these practices, and then perform them as-documented.
- Who must comply: Any contractor or subcontractor that works with, stores, or requires CUI in order to complete their product or service.
- How are you assessed: There are two assessment levels for Level 2, depending on the nature of the CUI that’s being handled. If the CUI is deemed not critical to national security, contractors certify through an annual self-assessment. If the information is critical to national security, they must pass a third-party assessment every three years.
Level 2 in CMMC 2.0 is largely based on the NIST SP 800-171 requirements, so if you already comply with these, you’ll be well-positioned to certify at this level. The required practices are considered “advanced cyber hygiene practices.”
CMMC 2.0 Level 3: Expert
This level focuses on protecting both FCI and CUI information of the highest priority nature, and therefore, has the most stringent requirements for certification. Contractors who achieve Level 3 certification have a robust security program with the least-possible amount of vulnerabilities.
- What is required: Contractors must develop and maintain a comprehensive cyber security plan that includes goals, projects, resource allocation, training, and executive stakeholder involvement. Level 3 also requires all the security practices of NIST SP 800-171, a selection of NIST SP 800-172 requirements, and 20 other additional requirements, like reporting security breaches.
- Who must comply: Any contractor or subcontractor that works with, stores, or requires the highest-priority CUI in order to complete their job.
- How are you assessed: Similar to Level 2 national-security-critical subcontractors, all Level 3 contractors will be audited by a government-issued third-party every three years.
Each Department of Defense contract will include details on which CMMC 2.0 level the contractor must certify with prior to the start of the project, and will provide the third-party auditor to achieve certification.
Meeting CMMC Requirements With JumpCloud
JumpCloud makes achieving and maintaining CMMC requirements far easier than trying to manage all your security initiatives alone. Our open directory platform has several features to help you meet multiple CMMC and NIST requirements simultaneously.
Identity and Access Management
Identity and Access Management is a type of security that ensures the right users have access to the right resources when they need them, while minimizing the risk of data leak. JumpCloud’s open directory platform allows you to securely manage all your organization’s user identities and the resources they’re able to access from a single pane of glass.
Federating identities greatly improves your security program by reducing the attack surface a cybercriminal can use to obtain sensitive information. It also ensures that you can act quickly in the event of a breach by giving you controls to all user identities in a single place.
JumpCloud also provides a variety of access control options based on the principle of least privilege — giving each user only what they need to do their job, and nothing more. Implement multi-factor authentication (MFA) and single sign-on (SSO) to significantly reduce the risk of compromised credentials, and use least privilege policies to ensure that, even if an identity is breached, that account has access to the least-possible information.
Of the 17 stated CMMC domains, our identity and access management options help you to reach compliance in Access Control, Access Management, Identification and Authentication, Incident Response, Personnel Security, System and Communications Protection, and System and Information Integrity.
Auditing and Compliance
JumpCloud’s open directory platform allows IT admins to centrally access and monitor data for all compliance and auditing needs. You can quickly view, control, and secure all devices employees use to access company resources or information, and quickly deploy policies to ensure all employees are consistently remaining compliant, even in between audits.
Develop your own commands and policies to decrease the risk of data leaks or cyberattacks in real time. Manage all user events, attacks, or other security incidents directly from the platform, and use JumpCloud System Insights to quickly view and export data for any upcoming audits.
Of the 17 stated CMMC domains, our auditing and compliance options help you to certify in Access Control, Access Management, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Personnel Security, Recovery, Risk Management, Security Assessment, System and Communications Protection, and System and Information Integrity.
To properly secure all user devices and data, you need to partner with a platform with robust Device Management features like JumpCloud.
Our product is platform-agnostic, meaning your IT team can still exercise full security control, regardless of whether a user has a Mac, Linux, or PC device. You can seamlessly manage every device, regardless of the vendor, policy, or protocol, so there’s no roadblock to achieving top-notch data security.
Your control extends to mobile devices, too. Centrally manage all your organization’s macOS, iOS. iPadOS, and even tvOS devices straight from the JumpCloud dashboard, so you can quickly provision or deprovision users as employees come and go, or immediately secure any lost or stolen devices to minimize compromised data.
Get Compliant Today
Ready to start getting compliant? JumpCloud’s IT Compliance Quickstart Guide was designed to get IT professionals the resources they need to prepare for an audit or shore up their IT security baseline. Or, you can try JumpCloud for yourself by getting an account today. Your first 10 users and devices are free.