Cybersecurity Maturation Model Certification 2.0: How Varonis Ensures Certification for Defense Contractors

The United States Department of Defense is implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC) program to safeguard cybersecurity across the government’s Defense Industrial Base (DIB), the sector responsible for military weapons systems, subsystems, and components or parts.

Announced in November 2021, CMMC 2.0 requirements are expected to be included in all new contracts by October 2025.

This blog post will delve into the concept of the maturity model in the context of cybersecurity, key figures of the DIB, the anatomy of CMMC levels, and how Varonis can help your org achieve compliance.

What is a maturity model?

Maturity models are a collection of best practices, which progress along a scale from lower levels of adoption or “maturity” to higher levels of aptitude and certification.

Certifying to a maturity model means that a company or organization has committed itself to improving its processes and practices to a sustained high level of performance.

What is CMMC?

Cybersecurity Maturity Model Certification is a program initiated by the U.S. Department of Defense (DOD) to measure and standardize their defense contractors’ capabilities, readiness, and sophistication in the area of cybersecurity. CMMC 2.0 is a streamlined update to the original 2020 CMMC program.

At a high level, this framework is a collection of processes and inputs from existing cybersecurity standards — such as NIST, FAR, and DFARS,¹— designed to protect DIB security.

At a tactical level, the goal of the program is to improve the security of federal contract information (FCI) and controlled unclassified information (CUI).

To whom does CMMC apply?

The certification is applicable to both “prime” contractors who engage directly with DOD, and to subcontractors who contract with those primes to provide the fulfillment and execution of contracts. Although some level of certification will be a requirement of every contract beginning in 2025, the DOD has indicated that they intend to issue contract opportunities at all levels of the maturity model, meaning there will be some number of requests issued that will require only a low level of certification and some that will require higher levels of certification.

DIB fast facts

$10.5 trillion Annual cybercrime impact
$705 billion Annual DOD contract value
100,000+ Companies in the DIB
23% Budget allocation to small business

Why does CMMC matter?

It’s estimated that cybercrime drains $10.5 trillion annually from the global GDP. Relying on the vast network of contractors to execute the DOD’s mission means that the Department of Defense is entrusting each contractor with critical data that increases the overall risk profile of the DIB. Accordingly, the DOD understands the burden and outsize proportion of risk that cybercrime puts on their base of subcontractors, many of which are small businesses and lack the resources of their larger, prime counterparts.

It's against this backdrop that the DOD has released the CMMC, to oversee the adoption of best practices in cybersecurity with a “defense in depth” strategy across its entire global contractor base.

Key CMMC 2.0 takeaways

The required certification:

Applies to DOD prime contractors and subcontractors
Applies to limited new contracts beginning this year and applies to all contracts beginning in 2025
Covers advancing levels of cybersecurity processes and practices, resulting in a certification “level”
Ensures contractors start with Level 1 and certify at each level all the way to the top (Level 3)
Demonstrates the need for a powerful tool (such as Varonis) for facilitating all levels of CMMC compliance

CMMC framework

The goal of the CMMC is to ensure the protection of two types of information from disclosure or unauthorized use:

CUI, which requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended
FCI (not intended for public release) provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public

CMMC 2.0 certification levels (summary)

CMMC 2.0 reduced the number of certification levels from five (in CMMC 1.0) to three. The three CMMC 2.0 levels are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). CMMC assessment requirements vary based on the level of certification needed.

BlogDiagram_CMMC2_202309_FNL

Level 1 requires organizations to perform basic cybersecurity practices; you can certify at this level through an annual self-assessment.

Level 2 requires organizations to document their processes to guide their efforts to achieve CMMC Level 2 maturity. The documentation must also allow users to repeat these processes.

Assessment requirements for Level 2 compliance depend upon whether the CUI data handled is critical or non-critical to national security. Organizations with prioritized acquisitions that handle data critical to national security must pass a third-party assessment (3PAOs) every three years.

Organizations with non-prioritized acquisitions with data not deemed critical to national security must conduct an annual self-assessment.

The Level 3 CMMC model reduces a system’s vulnerability to advanced persistent threats by requiring an organization to establish, maintain, and provide resources for a plan to manage the activities needed to implement its cybersecurity practices.

CMMC 2.0 Level 3 applies to companies that handle CUI for DOD programs with the highest priority. As of publication, the DOD has not released the specific security requirements.

CMMC 2.0 framework components

As a part of the efforts to simplify CMMC and align with NIST-800-171 and 800-172, CMMC 2.0 has only three parts: levels (as explained above), domains, and practices.

Levels

As contractors advance in their assessments in each of these components, an overall certification to a level is achieved.

Level one is achieved by completing 17 practices across the CMMC domains.

Level two is accomplished by completing 110 practices from the 17 domains and having this verified by a third-party assessment organization.

Level three has yet to be formalized but will likely include all practices from each domain and verification by a third-party Assessment Organization.

Domains

There are 17 domains in the CMMC model. Each covers an individual area of essential cybersecurity functions taken from existing standards, including Federal Information Processing Standards (FIPS) Publication 200 and NIST 800-171. Each domain appears in one or more of the model’s levels.

Practices

There are 113 practices that span the 17 domains. Think of practices as the individual tasks or efforts required by each category.

How to become certified

The DOD has created the CMMC Accreditation Body — a nonprofit, independent organization to accredit third-party assessment organizations (3PAOs) and individual assessors. Details are forthcoming about the mechanics of certification, but the DOD plans to establish a marketplace for 3PAOs to be evaluated and hired by contractors seeking certification.

How Varonis ensures CMMC certification

Getting started with CMMC might seem like a daunting task, and the reality is that certification is simply too large of a program to be handled by one person or even one team within an organization. Nevertheless, certification will be a nonnegotiable requirement of DOD contractors going forward, and Varonis can help federal contractors comply.

The best place to start when beginning to operationalize CMMC is with domains. Remember, these are centers of excellence with tasks and management that must be performed and continuously optimized for organizations to achieve and advance their levels of certification. Recall also that the primary goal of CMMC is the protection of CUI and FCI.

The Varonis Data Security Platform can facilitate, execute, and automate many of the 113 practices required and their related processes within the CMMC model.

Domain	CMMC 2.0 Practice	Varonis product(s)
AC — Access Control	Authorized Access Control Transaction and Function Control External Connections Control CUI Flow Separation of Duties Least Privilege Non-Privileged Account Use Privileged Functions Unsuccessful Logins Session Termination Control Remote Access Wireless Access Authorization Encrypt CUI on Mobile	Varonis Data Security Platform
AT — Awareness and Training	Role-Based Risk Awareness Role-Based Training Conduct Training Insider Threat Awareness	Professional Services
AU — Audit and Accountability	System Auditing User Accountability Event Review Audit Failure Alerting Audit Correlation Reduction and Reporting Authoritative Time Source Audit Protection Audit Management	Varonis Data Security Platform
CM — Configuration Management	Security Configuration Enforcement System Change Management Security Impact Analysis Access Restrictions for Changes User Installed Software	Varonis Data Security Platform
IA — Identification and Authentication	Identification Authentication Replay Resistant Authentication Identifier Handling Password Complexity Cryptographically Protected Passwords	Varonis Data Security Platform
IR — Incident Response	Incident Handling Incident Reporting Incident Response Testing	Varonis Data Security Platform Professional Services Incident Response Team
MA — Maintenance	Equipment Sanitization	Varonis Data Security Platform
MP — Media Protection	Media Disposal Media Access Media Markings Media Accountability Portable Storage Encryption Protect Backups	Varonis Data Security Platform
PS — Personnel Security	Protect CUI During Personnel Actions	Varonis Data Security Platform
PE — Physical Protection	CUI for Alternate Work Sites	Varonis Data Security Platform
RA — Risk Assessment	Risk Assessments for PII Risk Assessments for CUI Vulnerability Remediation	Varonis Data Security Platform Professional Services
CA — Security Assessment	Security Control Assessment Plan of Action Security Control Mapping System Security Plan	Varonis Data Security Platform Professional Services
SC — System and Communications Protection	Boundary Protection Role Separation Shared Resource Control Split Tunneling Data in Transit Connections Termination CUI Encryption Communications Authenticity Data at Rest	Varonis Data Security Platform
SI — System and Information Integrity	Flaw Remediation Malicious Code Protection Update Malicious Code Protection System and File Scanning Security Alerts and Advisories Monitor Communications for Attacks Identify Unauthorized Use	Varonis Data Security Platform

The CMMC will impact each and every one of the 300,000-plus companies in the United States defense industrial base. Companies that are already familiar with and adhering to NIST, FAR, and DFARS will likely have a first-mover advantage in advancing through CMMC, but Varonis can accelerate any company’s CMMC with a powerful platform for compliance and security.

Contact the Varonis Federal team for a free Data Risk Assessment, and level up your CMMC.

Additional resources:

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Shane Walsh Shane Walsh is a Product Marketing Manager for Varonis and a believer in the power of narratives. When Shane is not crafting sales and marketing stories, he can be found practicing martial arts, herding cats, and doting on his family.