As we have just begun the first month of 2025, we can expect to see increasing numbers of agencies phased-in to the newest Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) requirements and assessments. It’s important to note that all civilian organizations who do business with the government are required to be compliant with CMMC 2.0, just as they were with the original CMMC program.
To understand CMMC 2.0, you first need to be familiar with the original CMMC program. This program was implemented to combat an issue that the defense industrial base (DIB) faces frequently: cyber attacks. The Department of Defense (DoD) created the CMMC program to strengthen the security of the DIB and complement the existing cybersecurity and information security requirements.
According to the Chief Information Officer of the U.S. DoD, “It is designed to enforce the protection of sensitive unclassified information shared by the Department with its contractors and subcontractors. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for nonfederal systems processing controlled unclassified information.”
The CMMC Model has three levels of assessments for an agency or federal contractor/subcontractor to pass.
- Level 1 is the most basic. This requires an annual self-assessment and affirmation of compliance with the 15 security requirements in FAR 52.204-21.
- The second level includes another assessment every 3 years. This assessment will either be a self-assessment or a CMMC Third-Party Assessor Organization (C3PAO) assessment, depending on the type of information that is processed, transmitted and/or stored on the contractor information systems.
- Finally, the third level of assessment is done every 3 years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This assessment ensures a higher level of protection of Controlled Unclassified Information (CUI).
The framework for CMMC 2.0, was released in November 2021, but it wasn’t until October 2024 that the final rule was published.
CMMC 2.0 will continue to align with the requirements of the National Institute of Standards and Technology (NIST) Standards to safeguard sensitive information. You may be wondering, what is NIST, and why does CMMC 2.0 follow their standard?
What is NIST?
NIST is an agency of the U.S. Department of Commerce and, according to their website, they are one of the nation’s oldest physical science laboratories. NIST’s mission is to advance technology in every industry - including cybersecurity. NIST develops the cybersecurity standards and guidelines that federal agencies follow. Sometimes these guidelines are specific actions for companies to implement immediately, other times they come up with a long term plan and solution to potential future technological and cybersecurity problems. Federal statutes and executive orders require NIST cybersecurity standards to be implemented in all federal agencies for non-national security systems, which is why the CMMC and CMMC 2.0 programs adhere to NIST standards.
Trinity IT’s Involvement with the CMMC Program
As a Federal contractor for the DoD since 2007, Trinity IT has remained compliant with the CMMC program. We undergo the required assessments and prioritize the safety of sensitive information on our systems. We pride ourselves in having cybersecurity experts working around the clock to keep our systems and the government’s information safeguarded.
Elizabeth Casalnova,
(267) 396-7901
elizabeth.casalnova@trinityit.biz