[email protected]

703.000.0000

The Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) 2.0 proposed rule on December 26, 2023, setting the stage for a three-year rollout starting in 2025. For Defense and Intelligence Community (DoD/IC) contractors, this marks a critical moment to prepare for mandatory compliance to maintain contract eligibility. This blog post breaks down the proposed rule, highlights the urgency of proactive action, and provides practical strategies to meet CMMC Level 2 requirements, focusing on the 110 NIST SP 800-171 controls needed to protect Controlled Unclassified Information (CUI).

Key Details of the CMMC 2.0 Proposed Rule

The proposed rule outlines a phased implementation of CMMC 2.0, with assessments beginning in Q1 2025 and full adoption expected by mid-2028. Key points include:

• Level 1 (Foundational): Contractors handling Federal Contract Information (FCI) must complete self-assessments for 17 basic cybersecurity practices.
• Level 2 (Advanced): Contractors managing CUI must achieve certification for 110 NIST SP 800-171 controls, with third-party assessments required for most contracts. Self-assessments may be allowed for less sensitive contracts.
• Level 3 (Expert): Reserved for high-value CUI, requiring government-led assessments and additional NIST SP 800-172 controls.

The rule emphasizes that Level 2 certification is mandatory for contracts involving CUI, making it the primary focus for most DoD/IC contractors. Assessments will be conducted by accredited CMMC Third-Party Assessment Organizations (C3PAOs), and certifications will be valid for three years, with annual affirmations of compliance.

Why Act Now?

With assessments starting in Q1 2025, contractors face a tight timeline to achieve compliance. Delaying preparation risks losing contract eligibility, as CMMC 2.0 certification will be a prerequisite for bidding on or renewing DoD contracts. Proactive steps today can help contractors:

• Identify and address compliance gaps before audits begin.
• Avoid rushed, costly remediation efforts.
• Build a competitive edge by demonstrating readiness to prime contractors and DoD stakeholders.
• Strengthen cybersecurity to protect against evolving threats targeting the defense supply chain.

The 110 NIST SP 800-171 controls for Level 2 are comprehensive, covering areas like access control, incident response, and system monitoring. Preparing for these requires time, planning, and systematic execution.

Strategies to Meet CMMC Level 2 Requirements

To achieve CMMC Level 2 certification and secure CUI effectively, contractors can adopt the following strategies:

1. Conduct a Comprehensive Gap Analysis

Start by assessing your current cybersecurity practices against the 110 NIST SP 800-171 controls. Key steps include:

• Map Existing Controls: Review policies, technical configurations, and processes to identify which controls are already in place.
• Identify Gaps: Pinpoint deficiencies, such as missing multi-factor authentication, inadequate audit logging, or incomplete incident response plans.
• Prioritize Remediation: Focus on high-impact gaps that could delay certification or increase risk.

Documenting this analysis provides a clear roadmap for compliance and helps streamline future audits.

2. Develop a System Security Plan (SSP)

An SSP is a cornerstone of CMMC Level 2 compliance, detailing how your organization implements NIST SP 800-171 controls. To create an effective SSP:

• Describe Your Environment: Outline systems, networks, and processes that handle CUI.
• Detail Control Implementation: Explain how each of the 110 controls is met, including tools, policies, and procedures.
• Update Regularly: Revise the SSP as systems or controls change to ensure it reflects your current posture.

A well-crafted SSP demonstrates to assessors that your organization has a structured approach to cybersecurity.

3. Create a Plan of Action and Milestones (POA&M)

For controls not yet fully implemented, a POA&M outlines remediation steps. To build a robust POA&M:

• List Open Gaps: Specify which controls are incomplete and why.
• Set Timelines: Assign realistic deadlines for remediation, prioritizing critical controls.
• Assign Responsibilities: Designate team members or roles to oversee each action.
• Track Progress: Regularly review the POA&M to ensure milestones are met.

A POA&M is not a failure—it’s a proactive tool to show assessors your commitment to full compliance.

4. Secure CUI with Microsoft 365 GCC High

Microsoft 365 GCC High is a cloud platform tailored for DoD contractors, designed to meet DFARS 7012 and CMMC requirements for CUI protection. To leverage it effectively:

• Assess Data Needs: Identify which data and workflows require GCC High’s enhanced security.
• Configure Security Features: Enable data loss prevention (DLP), encryption, and secure access controls to safeguard CUI.
• Segment CUI: Use dedicated tenants or containers to isolate CUI from non-sensitive data.
• Train Staff: Ensure employees understand how to use GCC High tools securely for collaboration and storage.

Proper configuration of GCC High aligns with multiple NIST SP 800-171 controls, such as access control and media protection.

5. Prepare for Third-Party Assessments

Level 2 certification typically requires a C3PAO assessment. To ensure readiness:

• Conduct Mock Audits: Simulate the assessment process to identify weaknesses in documentation or control implementation.
• Organize Evidence: Compile artifacts like SSPs, POA&Ms, logs, and policies for easy access during the audit.
• Engage Stakeholders: Train staff to articulate processes and demonstrate compliance to assessors.
• Address Findings Promptly: If gaps are identified during practice, update controls and documentation before the official audit.

Early preparation reduces the risk of delays or failed assessments.

6. Adopt a Strategic IT Approach

Long-term compliance requires aligning IT with operational and contractual goals:

• Implement Continuous Monitoring: Use tools to track system activity, detect threats, and maintain compliance with controls like audit logging.
• Maintain Documentation: Keep records of control implementation, training, and incidents to support annual affirmations.
• Plan for Scalability: Ensure IT systems can adapt to new contracts or increased CUI volumes.
• Stay Informed: Monitor DoD updates and industry best practices to anticipate changes in requirements.

A strategic approach minimizes disruptions and sustains compliance over time.

Key Considerations for 2025

As the CMMC 2.0 rollout begins, contractors should watch for:

• Contractual Shifts: More RFPs will include CMMC Level 2 requirements, with compliance verification mandatory.
• Supply Chain Expectations: Prime contractors will demand proof of compliance from subcontractors, increasing scrutiny.
• Evolving Threats: Sophisticated cyberattacks targeting CUI underscore the need for robust controls beyond minimum requirements.

Proactive preparation now will help contractors navigate these changes seamlessly.

Conclusion

The CMMC 2.0 proposed rule signals a transformative shift for DoD/IC contractors, with Level 2 certification becoming a non-negotiable requirement for handling CUI. By starting now—conducting gap analyses, developing SSPs and POA&Ms, securing CUI with platforms like Microsoft 365 GCC High, and preparing for assessments—contractors can stay ahead of the 2025 rollout. These steps not only ensure compliance but also strengthen cybersecurity, protecting national security and enhancing contract competitiveness.