Preparing for CMMC 2.0 and how ConnectWise can help

Posted:
08/16/2024
| By: Patrick Beggs

What is Cybersecurity Maturity Model Certification (CMMC)? 

The Cybersecurity Maturity Model Certification (CMMC) was introduced by the US Department of Defense (DoD) in January 2020 to create a unified standard. The CMMC applies to companies in the defense industrial base (DIB) supply chain and outlines requirements for protecting the confidentiality of federal contract information (FCI) and controlled unclassified information (CUI).  

In other words, the federal government standardized rules to protect sensitive information that must be communicated and stored for defense contractors to do their jobs appropriately.  

Prior to the introduction of CMMC, it was the sole responsibility of individual contractors to implement, monitor, and certify the security of their own IT systems and any sensitive information transmitted by or stored on these systems. The biggest change for contractors was that the CMMC began requiring contractors to work with third-party auditors to assess and verify compliance. 

CMMC 1.0 

The initial 2020 framework consisted of five levels of cybersecurity maturity, with levels 2 and 4 intended as transition stages between levels 1, 3, and 5. Under CMMC 1.0 government contractors could no longer self-attest that they are in compliance and must work with a third-party. 

CMMC 2.0 

The latest version removes the transition stages (levels 2 and 4) leaving three levels to the framework. According to the DoD website, “The CMMC 2.0 program is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.”  

Under the new CMMC 2.0 Framework, some companies may be able to self-certify to Level 1 and a portion of Level 2, but many companies will need to be accredited through third-party assessments to be certified at appropriate levels. 

The department is still in the rulemaking process, which means version 2.0 is not a contractual requirement yet. In the meantime, contractors can use the information available to start preparing for the upcoming change. 

CMMC 2.0 levels explained 

Level 1 is the same as the previous level. It will focus on performing foundational “basic cyber hygiene,” protecting only FCI, and implementing 17 controls. 

Level 2 is the same as previous level 3. It will require advanced cybersecurity practices of NIST SP 800-171. Achieving level 2 compliance should be the goal moving forward with a focus on protecting both FCI and CUI along with implementing 110 controls. 

Level 3 is the same as previous level 5. This level applies to the highest-risk DoD programs and contracts protecting both FCI and CUI. It will require NIST SP 800-171 compliance with an additional subset of NIST SP 800-172 requirements demonstrating expert cybersecurity practices. CMMC_Model_Structure_1.0_2.0.png

Source: Chief Information Officer U.S. Department of Defense | About CMMC

Meeting CMMC 2.0 Level 2 compliance with ConnectWise 

ConnectWise will adopt a staged strategy, including:  

  • Training and support: ConnectWise has established training and internal reviews for CMMC assessments. While timelines are subject to change pending the US government's release of plan details, assessment readiness, and market availability, ConnectWise remains committed to its outlined adoption plan and key milestones. 
  • ConnectWise CMMC compliance: By 2025, ConnectWise aims to achieve CMMC Level 2 compliance. The initial launch will take place in an isolated hosting environment, separate from existing environments.   

Recommended