What is the Cybersecurity Maturity Model Certification 2.0?

The landscape of defense contracting is undergoing transformation, driven by evolving Department of Defense (DoD) contract requirements for enhanced cybersecurity capabilities, ongoing maturity, and CMMC compliance standards to defend against foreign adversaries and exfiltration of sensitive data that threatens national security. 

What is CMMC 2.0? 

Cybersecurity Maturity Model Certification (CMMC) 2.0 is a revised cybersecurity framework that evaluates and enforces the effective implementation of security controls defined in National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) by any organization in the DoD supply chain. NIST SP 800-171 is the current security standard mandated by the DoD for protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations, and it serves as the foundation for CMMC 2.0 compliance.  

Successful CMMC accreditation verifies that a company’s cybersecurity practices and processes are mature, resilient, persistent, and aligned with NIST SP 800-171 controls. 

Pair of hands typing on a laptop computer keyboard.

Why does CMMC 2.0 matter

Why does CMMC 2.0 compliance matter? 

When storing, handling, or transmitting CUI, NIST SP 800-171 is not just important—it’s mandatory, and has been for more than 5 years. The relationship between NIST SP 800-171 and CMMC 2.0 is direct. NIST SP 800-171 identifies 110 controls for protecting CUI, while CMMC 2.0 verifies the proper and continuous implementation and execution of these controls through its CMMC certification process. 

CMMC 2.0 compliance enhances the defense industry’s cybersecurity posture by adopting a comprehensive, consistent, and verifiable approach to and application of cybersecurity across the Defense Industrial Base (DIB), better safeguarding CUI against threats. 

Who needs CMMC accreditation? 

Once CMMC 2.0 goes into effect, any organization in the DoD supply chain, including subcontractors at any tier or other derived funding and even those that do not come in contact with CUI, must comply with one of CMMC 2.0’s three Maturity Levels. Your contractual obligations, based on your interactions with CUI and the nature of the work performed, will determine which Maturity Level accreditation you will need. 

CMMC Model 2.0

When will CMMC 2.0 be required

When will CMMC compliance be required? 

In 2020, the Department of Defense (DoD) announced a 5-year plan for Cybersecurity Maturity Model Certification (CMMC), leading to the updated “CMMC 2.0” in 2021. The 2023 rule-making process is expected to result in its inclusion in DoD contracts by 2024. 

On July 24, 2023, the DoD submitted CMMC-related rulemaking to the White House’s Office of Information and Regulatory Affairs (OIRA) for review. This represents a crucial action towards bolstering cyber defense within the defense supply chain by putting CMMC compliance one step closer to appearing as a requirement in DoD contracts via the Defense Federal Acquisition Regulation Supplement (DFARS). OIRA’s review, expected to take up to 90 days, will be followed by a 60-day public comment period and subsequent finalization of the rulemaking. This process and timing underscores the expectation that CMMC 2.0 will be fully implemented by the fall of 2024 as DFARS clause 252.204-7021 (DFARS 7021).

Note: Companies with contracts that currently include DFARS clause 252.204-7012 (DFARS 7012) already must comply with NIST SP 800-171, which aligns with CMMC 2.0 requirements. Under DFARS 7012, companies may self-assess their compliance with NIST SP 800-171 controls. Under DFARS 7021, to receive a CMMC accreditation, most of the DIB will be subject to a third-party audit of compliance by a CMMC 3rd Party Assessment Organization (C3PAO) – raising the bar.

How long does it take to get ready for CMMC? 

Getting ready to meet the standard takes time – more than most companies anticipate, especially with a C3PAO ultimately conducting the audit. Achieving CMMC compliance can take businesses 6-12+ months depending on their current cybersecurity hygiene, making it imperative to begin preparations before CMMC 2.0 certification is mandated. Companies must comply with CMMC 2.0 and have their accreditation once the rule goes into effect and is included in contracts. 

How long does it take to get CMMC ready

Your CMMC journey with Exostar

Your CMMC 2.0 Certification Journey with Exostar 

The road to CMMC accreditation can be challenging. With Exostar, you’ll have an ally to support you at each step of the journey: 

Download: Your Path to CMMC 2.0 Success

  1. Define Scope 
  2. Document & Implement 
  3. Submit & Remediate 
  4. Monitor & Manage 
  5. Prepare for Assessment 
  6. Maintain Compliance 

Looking for a More Comprehensive NIST/CMMC Solution? Try Exostar’s CMMC Ready Suite

CMMC 2.0 strengthens the cybersecurity framework and accountability for defense contractors. As it nears finalization, businesses within the DoD must prepare for the transition. Exostar’s CMMC Ready Suite of products and services will be a vital ally in successfully navigating this period and ensuring success within the DIB. 

Learn More

CMMC Ready Suite

Managed Microsoft 365 screen on a desktop computer.

Exostar’s Managed Microsoft 365

Collaborate securely and compliantly with our solution offering that meets 85 of 110 NIST SP 800-171 controls for CMMC 2.0

This solution supercharges the familiar Microsoft Teams environment with enhanced cybersecurity. It meets 85 of the 110 NIST SP 800-171 controls for CMMC 2.0 “out of the box, making it the superior choice for DoD compliance needs. It’s suitable for large enterprises seeking sophisticated collaboration tools who want to better protect their intellectual property or small-to-medium-sized businesses looking for practical solutions that don’t require a large upfront investment in purchasing and deploying Microsoft 365 themselves. 

Learn More

Certification Assistant

Understand the NIST SP 800-171 controls, track your CMMC compliance journey and score your progress, and give your organization a single location to keep all relevant documents and records.

Complete your self-assessment against 110 NIST SP 800-171 security controls, calculate your SPRS (Supplier Performance Risk System) score, automatically generate your System Security Plan (SSP), and create your Plan of Actions and Milestones (POA&M).

Learn More

Co-workers working with Certification Assistant on a laptop computer.

Pair of hands typing on a laptop computer keyboard using PolicyPro.

Exostar PolicyPro

Create, document, and maintain the policies required by NIST SP 800-171.

Using Policy Builder, easily create compliant policies from scratch and/or accurately update existing policies for the 14-control families to help successfully address the 110 controls. 

Learn More

Basic Assessment Service for NIST SP 800-171 and CMMC 2.0

Receive a third-party NIST SP 800-171/CMMC assessment and gap analysis to truly understand your compliance journey progress.

Walk away with a submission-ready NIST SP 800-171 Basic Assessment including your SSP, POA&M, and SPRS scores.

Learn More

CMMC Assessment

Streamlining CMMC Compliance and Empowering DIB Companies

Our suite of solutions provides DIB companies with an efficient and effective way to meet the forthcoming requirements of CMMC 2.0. Our solutions simplify the compliance process, save you time and resources, and help reduce the risk of non-compliance. By leveraging our solutions, DIB companies can enhance their cybersecurity posture, be prepared to meet their compliance requirements, and position themselves to participate in future government contracts as a prime contractor or a preferred subcontractor partner. Exostar’s CMMC Ready Suite is the ideal solution for: 

  • Those who store, process, or transmit CUI and are required to comply with DFARS clauses 252.204-7012, 7019, and 7020, and the upcoming 7021 clause which is tied to CMMC 2.0. 
  • Businesses looking for an efficient and cost-effective way to meet their compliance requirements and continue participating in government contracts. 
  • Businesses needing to improve their NIST SP 800-171 assessment score on the DoD’s SPRS, as contracting officers must consult SPRS to gauge supplier risk when evaluating contract bids per DFARS clause 252.204-7024. Learn more
  • Prime contractors seeking improvements to their supply chain cybersecurity posture by helping  their suppliers pursue higher SPRS scores and better meet the requirements of CMMC 2.0.