CMMC 2.0 and Security Awareness Training

Everyone in the federal government space is talking about it. So, what is it?

CMMC 2.0 - “Cybersecurity Maturity Model Certification”

It wouldn’t be government without the acronyms, so buckle up....

But first, why the 2.0?

The DoD published the first draft of the rule in September 2020. Then, informed by lots of public comments, they released slick new Version 2.0 in November 2021.

Ultimately, compliance became onerous and expensive for organizations seeking DoD (Department of Defense) contracts after the Interim Rule (i.e Version 1.0) became effective in November of 2020.

So the new rule is streamlined and better aligned with NIST standards. It's also a bit more flexible. This points to lower costs of compliance, it's just better for the industry.

So what is CMMC?

It’s a framework designed for the protection of the US Defense Industrial Base (DIB). Specifically, the focus is on securing Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). This essentially refers to any form of sensitive unclassified data that a contractor (or sub-contractor) creates or possesses for or on behalf of the government.

Depending on the level of certification needed, CMMC requires varying levels of assessments, some self-assessments, others from a C3PAO (Certified Third Party Organization) and still others that are government-led.

How does CMMC relate to NIST?

With Version 2.0, CMMC now points to both NIST SP 800-171 and NIST SP 800-172, depending on maturity level. So we'll jump into those.

Most cyber incidents start because of user error. Educate people about the importance of setting strong passwords, recognizing malicious links, and installing the latest security patches.
-CMMC's "Overview of Implementation"

Ok, one last (and critical) point here: CMMC includes three levels of maturity. This is down from 5 levels in the initial version of the rule. Each level builds on the previous, meaning the requirements of each higher level include those of the levels below. So you can move step-wise from 1 to 2 to 3… you get it.

Take a look below for (1) a comparison of Model 1.0 vs 2.0 and (2) a brief explanation of the three levels of certification.

Big Change: You'll notice that Level 1 only requires an annual self-assessment. This is a big savings versus the original Level 1 that previously required a 3rd party assessment.

Now let’s dig into the Security Awareness Training requirements at each level! These will be all the requirements that start with those labeled Awareness and Training, or “AT.”

CMMC Level 1: Foundational (Self-Assessed)

While there's plenty of good stuff in the Level 1 Guide, the explicit Security Awareness Training requirements start at Level 2.

This means the Level 1 Self-Assessment doesn't require annual Security Awareness Training for your team (though it's always a wise measure to add), so let's keep moving.

CMMC Level 2: Advanced (Triennial 3rd Party Assessments)

Level 2 requires Security Awareness Training for all users to keep your team and the government's CUI and FCI information safe!

NIST 800-171
Section 3.2.1: All Users Must Receive Cybersecurity Awareness Training

“Ensure that all Managers, system administrators, and users or organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems.”

Section 3.2.2: Security-Related Role-based Training Required

"Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities."

Section 3.2.3: Training Must Include Indicators of Insider Threats

“Provide security awareness training on recognizing and reporting potential indicators of insider threat.”

Your INFIMA Security Awareness Training covers these topics!

CMMC Level 3: Expert (Triennial Government-led Assessments)

This is the heavy lifting. But the good news is that the DoD estimates that fewer than 1000 organizations will require this level of certification.

The certification requirements for Level 3 come from NIST 800-172, which is a beefed up supplement to to 800-171 (which we looked at above for Level 2)

3.2.1e: Enhanced Security Awareness Training

“Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training (annually) or when there are significant changes to the threat.”

3.2.2e: Practical Exercises in Awareness Training

"Include practical exercises in awareness training for organization-defined roles that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors."

Yep, your INFIMA Security Awareness Training covers these topics too!

As you move toward higher levels of CMMC Certification, you'll want to ensure your Training program stays right there with you.

Are you ready to take action?
We make it easy to keep your Training current. Find out how to protect your team with INFIMA's Automated Security Awareness platform.

Disclaimer: our attorneys make sure we remind you that none of the above is legal advice, and all services are governed by our Terms of Service and End User License Agreement. Also, we love you!

If you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!

Photo by Jeremy Straub on Unsplash