Rising to the challenge: What security leaders need to know about CMMC 2.0

CMMC 2.0 is bringing compliance within reach of a wider range of DoD contractors and partner organizations. But success requires those who handle CUI to underst...

CMMC 2.0 compliance is a tall order for any defense organization — but especially so for small and midsize firms with limited IT resources.

More than 100,000 companies operate within the defense industrial base (DIB) — and it’s critical that each and every one of these organizations, regardless of size and budget, improve and mature their cybersecurity practices to limit vulnerabilities and risk to our national security. These considerations were behind the January 2020 release of DoD’s CMMC framework to assess the maturity level of contractors in protecting controlled unclassified information (CUI) and other sensitive data.

Now, there’s a streamlined version of the framework: CMMC 2.0. But while CMMC 2.0 is designed to be more accessible to a wider range of contractors, it’s still a complex and rigorous set of requirements. Rome wasn’t built in a day, and neither is a CMMC-compliant information security framework. So let’s examine CMMC 2.0, including what has changed since the first version of CMMC and the practices contractors must now implement in support of CMMC 2.0 compliance.

CMMC 2.0 alters the compliance landscape

The chief purpose of CMMC 2.0 is to simplify and strengthen elements of CMMC while still rigorously protecting CUI throughout the defense supply chain from cyber threats. Many of the guidelines borrow from existing frameworks like The National Institute of Standards and Technology’s Cybersecurity Framework, particularly sections NIST 800-171 and NIST 800-172.

Yet while the NIST framework is voluntary, CMMC 2.0 is not voluntary for many businesses in the DIB. CMMC even lays out specific requirements from NIST that should be met in order to be CMMC 2.0 compliant. Organizations contracting with DoD and that handle federal contact information (FCI) and CUI will be required to meet CMMC standards to continue working in the DoD space.

This poses a challenge as contractors work to demonstrate mature processes and cybersecurity best practices that are effective against today’s data security risks, while also future-facing to address more advanced threats as attack vectors evolve. Success requires both an understanding how CMMC 2.0 has shifted the compliance landscape, and how data management systems need to adjust to better protect information assets and meet the new CMMC 2.0 compliance parameters.

Understanding what’s changed in CMMC 2.0

A lot has shifted between the initial release of CMMC in 2020 and the updated CMMC 2.0 guidance. Here is a rundown of some of the most significant changes that contractors should understand:

  • Simplified range of compliance levels – DoD simplified CMMC levels from five to just three. Level 1 is for all organizations contracting with the DoD and/or handling FCI. Level 2 is for organizations handling CUI, but perhaps not as frequently. And Level 3 is for organizations handling CUI frequently. The higher the level, the more security requirements that must be met.
  • More self-assessment options — Self assessment is allowed at Levels 1 and 2, enabling smaller or medium-sized businesses in the DIB to reduce cost by self-assessing, or paying for an affordable third party to affirm compliance with CMMC 2.0 requirements.
  • Increased scrutiny of third-party assessors — Businesses will still be beholden to the standards of CMMC in their third-party or self assessments; CMMC 2.0 includes standards for third-party assessors to ensure they are properly and ethically maintaining compliance within their assessments.
  • Allowance for plans of actions & milestones (POA&M) — To cut down on cost and effort in meeting compliance in a short amount of time, DoD will allow select entities to share plans of action to eventually reach CMMC 2.0 compliance.
  • More flexibility for waivers — Some exceptions to the CMMC 2.0 rules are now allowed for certain contractors tasked with urgent or mission-critical projects. Such waivers require the approval of senior government leadership.

While there’s a learning curve in understanding the above changes in CMMC 2.0, the good news is that these steps are all ultimately in service of reducing complexity and costs – provided organizations take the necessary steps to optimize their data operation for CMMC 2.0 compliance.

CMMC 2.0 compliance requires stronger data protection solutions

CMMC 2.0 may simplify the task of compliance, but the consequences of non-compliance remain steep — especially in the defense sector, where data protection can have a direct impact on national security. A critical first step for many contracting firms is to clarify the compliance bar that applies to them by verifying where they fit into the revised CMMC 2.0 category levels. This can be done with a deep-dive assessment of how the organization stores and shares CUI, and the adequacy of current protections.

As these efforts play out, agency contractors soon realize that the key to compliance at any CMMC level resides primarily with how their data is managed and secured. For instance, CMMC 2.0 Level 3 requires that encryption be used for data at rest and in motion — including CUI, FCI, passwords and more. Thankfully, strong encryption is becoming increasingly fast and easy to implement – satisfying even the demanding Level 3 encryption standards while remaining accessible and affordable to Level 1 and 2 organizations.

Strong encryption solutions can apply end-to-end protections and data-centric controls to the nation’s most sensitive data — no matter where it lives or travels across email, file sharing, gateways, software as a service applications and more. Especially when data can be wrapped with encryption at the object level, organizations can obtain complete, autonomous control over every piece of sensitive information. Granular access controls can be audited and monitored, giving data owners complete oversight of who has accessed any given piece of data, with the ability to revoke and grant access at any time. The best solutions will enable customers to host their own encryption keys for complete control and sovereignty over the keys protecting encrypted data.


CMMC 2.0 is bringing compliance within reach of a wider range of DoD contractors and partner organizations. But success requires those who handle CUI to understand both the changes CMMC 2.0 is bringing, and how stronger encryption and other data protection measures can be deployed to help meet these new CMMC 2.0 compliance requirements.

Matt Howard is senior vice president at Virtru.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories