Cybersecurity Maturity Model Certification (2.0)

In 2020 we all faced unexpected delays in business because of a global pandemic, but one area we cannot backslide is cybersecurity. The federal government has already committed and assured contractors that Cybersecurity Maturity Model Certification (CMMC) will continue to be rolled out on schedule and without delay. The first official version of the CMMC was released on January 31, 2020.

On November 4, 2021, the Department of Defense released a revised version of the Cybersecurity Maturity Model Certification and is now commonly referred to as CMMC 2.0.

*****Latest updates*****

On May 10, 2023, NIST released a revised version of NIST 800-171 Revision 3 It is currently in draft phase awaiting comments, but this could potentially mean changes to the CMMC 2.0 standard and the necessary assessment criteria. Giga-Green is closely monitoring changes and actively communicating with our customers regarding potential impacts to their certification enclaves.

On this page:

What is Cybersecurity Maturity Model Certification (CMMC 2.0)?

This is a necessary evaluation and 3rd party issued certification for Defense Industrial Base (DIB) affiliated businesses that determines by your cybersecurity posture. The federal government has deemed cybersecurity a critical component of contracting, bid award criteria, and will be a requirement for contracting going forward. Giga-Green Technologies has been closely aligned with the NIST 800 series since our inception in 2016 and have been actively working with DoD contractors since 2020 to secure physical and cloud environments to NIST 800-171 standards.

CMMC 2.0 consists of three progressively secure levels of certification built around 17 different domains of cybersecurity and organizational health. We’ve listed the 14 evaluation criteria and brief descriptions below. These knowledge domains were developed from NIST 800-171 standards and have been assigned minimum levels of compliance to achieve a CMMC 2.0 certification. Currently, a CMMC 2.0 certification is anticipated to be valid for 3 years and then be reassessed.

What do these changes entail from the originally proposed CMMC 1.0? The DoD provides the following graphic to align the changes between CMMC 1.0 and CMMC 2.0.

Generally simplified from version 1.0, CMMC 2.0 aims to align more closely with the already enacted FAR (52.204-21) and DFAR (252.204-7012) clauses.

CMMC 2.0 Level 1Federal Contracting Information (FCI) will need to be safeguarded with 15 documented practices and controls

CMMC 2.0 Level 2Controlled Unclassified Information (CUI) will need to be safeguarded with 110 documented practices and controls (NIST 800-171)

CMMC 2.0 Level 3 – Under development (NIST 800-172)

How to prepare for a CMMC 2.0 evaluation

The first question we are asked is “Where do we start?” Our process is the same used and recommended by the NIST 800-Series documentation. A high level overview of the required steps and their respective NIST publications are outlined below:

Too much? Many of our customers have and would say this looks daunting… and we are only at the start.

Want to know more about each of these steps and what each include? Take a look at how to identify FCI/CUI, scope and categorize assets, assess your systems, and build documentation by visiting our detailed CMMC preparation page located here:

The Process – Giga-Green Technologies Inc.

NIST 800-171/CMMC 2.0 Assessment Domains:

The assessment domains between NIST 800-171 and CMMC 2.0 will remain unchanged and are applied across all in-scope systems. The 14 domains include:

  • Access Controls (AC) – Limiting user access to information systems
  • Audit & Accountability (AU) – Ability to track user actions to the individual
  • Awareness and Training (AT) – Measures taken to educate your workforce
  • Configuration Management (CM) – Appropriate configuration, limitation, and use of documented systems
  • ID & Authentication – (IA) – Identifying end users correctly and their ability to access systems (multifactor authentication at CMMC 2.0 Level 2)
  • Incident Response (IR) – Cybersecurity breach and organizational disaster recovery and business continuity planning
  • Maintenance (MA) – Performance of regular maintenance and software updates
  • Media Protection (MA) – Proper disposal, transfer, and housing of FCI and CUI data
  • Personnel Security (PS) – Screening and authorizing users before accessing data, prevention of data loss through employees
  • Physical Protection (PE) – Limiting physical access to resources and monitoring building activity
  • Risk Management (RM) – Identifying and mitigating environmental vulnerabilities
  • Security Assessment (CA) – Develop, document, and continually improving security postures
  • Systems and Communications Protections (SC) – Defining and controlling environment security boundaries, and monitoring for appropriate usage
  • System and Information Integrity (SI) – System updates, identifying malicious content, employing monitoring systems to maintain integrity, protecting e-mail communications

Why Giga-Green Technologies?

Giga-Green was formed and built with security as a fundamental and foundational principal to our operations. We build our internal processes based off the existing NIST 800-171 standard and do on a minimal budget. We have the history of leveraging cloud solutions to rapidly and cost-effectively secure hybrid-datacenter environments. Alternatively, we’ve mobilized businesses to secure cloud-only environments that adhere to NIST standards.

We understand NIST compliance and cybersecurity is a ‘daunting’ and complex task. We understand that your business will have unique challenges that will need to be addressed. We are here to help understand your needs and transform your organization into a secure system.

On March 15th, 2021, Giga-Green was recognized by the CMMC Accreditation Body as a Registered Provider Organization (RPO). This requires at least one individual to complete CMMC training and become certified as a Registered Practitioner (RP). Prior to our acceptance, we were actively implementing NIST compliant solutions and managing as needed.

Like all businesses out there currently, Giga-Green can only wait until more information is released, but that doesn’t mean we can’t do our part to help you prepare for upcoming requirements.

CMMC 2.0 Self-Assessments

Verified by MonsterInsights