Professional Documents
Culture Documents
www.hivesystems.io
© 2022 Hive Systems, LLC
A Little Bit of Background First
In the Beginning There Was CMMC 1.0
In November of 2020, an interim Defense Federal Acquisition Regulation Supplement
(DFARS) rule, titled Assessing Contractor Implementation of Cybersecurity Requirements
implemented DFARS clause 252.204-7021, Contractor Compliance with the Cybersecurity
Maturity Model Certification Level Requirement, was created. This clause implemented the
initial version of what became the first Cybersecurity Maturity Model Certification (CMMC
1.0).
CMMC 1.0 was developed by the Department of Defense (DoD) to help standardize the
cybersecurity requirements for companies doing business with the DoD. Prior to this, there
was an inconsistent
patchwork of policies and
standards across private
sector companies that
left the DoD responsible
and understand its
exposure and risk. The
program included
cybersecurity standards
for prime contractors and
subcontractors in the
defense industrial base
(DIB) and provides a
framework for the
assessment and
certification of contractor
and subcontractor cybersecurity controls. CMMC incorporates the standards and
certification program into acquisition programs to provide the DoD assurance that
contractors and subcontractors are meeting DoD’s cybersecurity requirements.
CMMC 1.0 was, by and large, criticized for its complexity, with cybersecurity process and
practice expectations that were out of touch with industry best practices in the private
sector for how companies implement effective cybersecurity controls. CMMC 1.0 consisted
of 5 increasingly progressive levels from Basic to Advanced, but really, Level 2 and Level 4
were considered “transition” levels. These interim stages added requirements for
Controlled Unclassified Information (CUI) and Advanced Persistent Threats (APT) from NIST
SP 800-171 and NIST SP 800-172. As such, they needed to be considered by the
cybersecurity program and incorporated into planning, but were not necessarily mature in
practice and implemented and measurable as in Level 3 for CUI controls (NIST SP 800-171)
or Level 5 for further APT focus (NIST 800-172). As a result of this multi-stage, progressive
1
process, much of the requirements for CMMC 1.0 were confusing, and the DoD found that
even the communication of the requirements and expectations from its own cybersecurity
and acquisitions leaders to contractors and subcontractors was confusing and
inconsistently provided. Further, CMMC 1.0 defined several unique maturity processes that
were challenging for companies to interpret and implement if they were already following
other industry and government standards.
Beyond the challenges of confusing cybersecurity requirements mapped to what seemed
to be arbitrary, or at least inconsistently communicated requirements sets, CMMC 1.0 did
not allow for the use of Plan of Action and Milestones (POA&Ms) or “Risk Waivers” when
seeking certification. This effectively provided contractors and subcontractors with no
ability to address non-compliance through reasonable remediation planning, and instead
resulted in contractors struggling to demonstrate compliance with all required
cybersecurity practices and processes, and unnecessarily delaying certification assessment
out of fear of failure. Both DoD cybersecurity and industry representatives agreed this was
too inflexible and did not properly account for nuance and non-applicability of certain
cybersecurity practices across a broad range of contractor / subcontractor systems and
services, nor good faith efforts to remediate without holding up the acquisition process.
Finally, in a shift from most risk-based frameworks and standards that allow some level of
self-assessment and reporting for low-risk systems, CMMC 1.0 accepted only independent
third-party assessment for certification. This not only was a shift from the norm, but also
created a heavy cost and resource burden for even those contractors and subcontractors
seeking the lowest Level 1 certification. In many cases these assessments provided little
assurance for the DoD over self-assessment of these lower maturity level providers.
2
Because of the streamlining of the requirements to meet each compliance level, and the
required CMMC certification level being included in solicitation documentation, it is now
clearer to companies what requirements they’ll be on the hook for at a given level:
❯ Level 1: Companies at Level 1, the Foundational level, handling Federal Contract
Information (FCI) only will need to meet 17 core cybersecurity practices retained
from CMMC 1.0 as identified in 48 CFR 52.204-21
❯ Level 3: Companies certifying at Level 3, the Expert level, handling CUI and of the
highest priority will need to implement and meet the requirements for 110+
cybersecurity practices from NIST SP 800-172.
By eliminating the
DoD-specific maturity
processes and instead
moving toward established
standards, companies are
more readily prepared to
meet the requirements of
CMMC. With far less
duplicative, cost-bearing
efforts in the process,
many companies are now
seeking CMMC certification
with clearer guidance. And
for those companies that were already aware of, or were already working toward
compliance with NIST SP 800-171 and NIST SP 800-172 as part of prior federal guidance for
contractors and subcontractors handling CUI, the path is even clearer.
3
Level 1 (Foundational) Practices
AC.L1 - 3.1.1 PE.L1 - 3.10.4
Limit information system access to authorized Maintain audit logs of physical access.
users, processes acting on behalf of
authorized users, or devices (including other
information systems).
PE.L1 - 3.10.3
Escort visitors and monitor visitor activity.
4
For Level 2 certification, the 110 controls within NIST SP 800-171 constitute the scope of
cybersecurity practices. You can review the scoping guide for each level using the CMMC
2.0 Practice Spreadsheet and Mapping available on the DoD’s CMMC website.
5
(PO). The Government PO will submit the waiver request package for senior DoD
approval. Further, such waiver requests must be time-bound which will be
considered and stipulated on a case-by-case basis.
6
Certified CMMC Professional (CCP) Certified CMMC Assessor (CCA)
Additionally, for companies to qualify and be certified as a C3PAO, they must meet the
requirements for certification as outlined by the CMMC-AB, including (eventually) achieving
CMMC Level 2 certification themselves. Depending on what level certification your
company is aiming to achieve, you may need to budget to have a C3PAO assist you with
assessing your compliance with the CMMC required practices.
7
C3PAO assessment, your trusted advisor should be knowledgeable, approachable, and
flexible.
Our Approach
Hive Systems’ CMMC Readiness Assessment focuses on examining your company’s
organizational cybersecurity controls and those specific to the services or products you
intend to bring to market for the Defense Industrial Base (DIB) through the lens of CMMC
2.0. Our team of experts will guide you through information gathering relevant to the
assessment of the CMMC practices, working hand-in-hand with your team to develop a
current state view of the design and implementation of in-scope cybersecurity processes
and practices. Once that initial scoping is developed, our team will identify and document
the gaps between the current state and the desired CMMC certification level requirements,
while providing you with actionable and tailored remediation plans. Our team will also
8
provide you with customized reports on compliance across various stakeholder levels,
deleting both low-level detail reports with concise and actionable information for your
technical stakeholders to facilitate remediation, and executive-level reports highlighting the
outcomes of the assessment, key insights and takeaways from the effort, and areas of
interest to help drive business decision making and prioritization efforts.
9
More About Hive Systems
Hive Systems provides smarter cybersecurity solutions with our trusted experts. Leveraging
our collective experience, we promote a true partnership by understanding what makes
your organization unique to help evaluate your cybersecurity strengths and vulnerabilities.
Together, we’ll develop a risk reduction strategy that best utilizes your existing investments,
including both technology and people, to keep your information secure anywhere - so you
can reduce risk everywhere. Through Hive Helps, we offer pro bono consulting services to
qualified non-profit organizations and communities to ensure that limited resources don’t
stand in the way of social progress.
So whether you know exactly what you need or have absolutely no idea, we love to talk
about cybersecurity. And if you need help with something that we didn’t discuss in this
whitepaper, there’s a good chance we can help with that too. Contact us directly and let’s
talk more about how Hive Systems can help make cybersecurity approachable for you and
your company.
Find out more about us online at www.hivesystems.io, and while you’re there, check out:
❯ Read the ACT Blog where you can learn about the latest trends and concerns
sweeping the cybersecurity world.
❯ Watch Hive Live and check the newest episodes featuring our experts and panelists.
❯ Read our story to learn more about us and how we’re making cybersecurity
approachable.
❯ Learn about Hive Helps where we provide pro bono consulting to qualified
non-profit organizations and charities.
10
Disclaimer
The opinions expressed are in good faith and while every care has been taken in preparing
this document, Hive Systems, LLC makes no representations and gives no warranties of
whatever nature in respect of this document, including but not limited to the accuracy or
completeness of any information, facts, and/or opinions contained therein.
Hive Systems, LLC, its subsidiaries, officers, employees, and agents cannot be held liable for
the use of and reliance of the opinions, strategies, and findings in this document.
www.hivesystems.io
© 2022 Hive Systems, LLC