10 Answers to Demystify CMMC 2.0 Compliance Challenges

with Matt Stern, Hypori Chief Security Officer

Following the introduction of CMMC, both the public and private sectors found themselves grappling with confusion regarding the implications of the latest security compliance standard and how to adhere to it. In an effort to provide clarity, I had the opportunity to sit down with Matthew Stern, Hypori's Chief Security Officer (CSO)—a trusted advisor with expertise in cybersecurity and a profound understanding of the latest security framework.

In this blog post, I delve into 10 key questions with Matt to explore CMMC compliance, offering insights and strategies to bolster cybersecurity defenses and achieve compliance. Join me as we unravel the complexities of CMMC 2.0 and uncover actionable solutions for today's cybersecurity landscape.

Q1: What exactly is CMMC 2.0 and why is it important for organizations to understand it? 

A: CMMC 2.0, or the Cybersecurity Maturity Model Certification, is a framework established by the Department of Defense (DoD) to ensure that organizations working with the DoD meet specific cybersecurity standards at varying maturity levels. Understanding CMMC is crucial for organizations, such as Defense Industrial Base (DIB) companies, to align their cybersecurity practices with DoD requirements and maintain eligibility to win DoD contracts. 

Q2: Are there specific security controls or regulations that organizations need to be audited by for CMMC compliance? 

A: Yes, organizations need to comply with specific security controls outlined in the CMMC framework. These controls are based on various cybersecurity standards and regulations such as NIST SP 800-171 and DFARS, which govern the protection of controlled unclassified information (CUI). 

Q3: How does CMMC compliance relate to data privacy laws such as GDPR and HIPAA? 

A: While CMMC primarily focuses on cybersecurity, organizations may be required to comply with data privacy laws like GDPR (General Data Protection Regulation) within the European Union and HIPAA (Health Insurance Portability and Accountability Act) within the United States. CMMC security controls may overlap with these laws, highlighting the importance of addressing both cybersecurity and data privacy concerns. 

Q4: Is CMMC 2.0 required for enterprise organizations, or is it primarily for government contractors? 

A: CMMC 2.0 only affects companies that are required to protect CUI as required in their contract with the DoD. This is normally identified in government contract documentation requiring the contracted company to comply with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Enterprise organizations that are not part of the DIB or do business with the DoD do not have to meet CMMC 2.0 requirements. Companies that do business with the DoD, even if they are not a traditional DIB member, need to check their contract for the DFARS Clause mentioned above.   

Q5: What role do solution providers play in CMMC compliance, and what should organizations look for when selecting a provider? 

A: Solution providers, including cloud service providers (CSP) like Amazon Web Services (AWS), Google and Microsoft, play a crucial role in helping organizations achieve CMMC compliance by offering services and technologies that facilitate adherence to the necessary security controls. Organizations must be careful to ensure that they select regions within the United States and use the services within those regions to comply with CUI protection requirements.  

Q6: Who audits CMMC clouds, and what qualifications do these auditors (3CPAO) have? 

A: There is a great deal of confusion on this topic. Detailed on, “Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC Level 2 assessment for a subset of acquisitions that involve information critical to national security.”  

DIB members must contract with a third-party audit organization (3PAO) to validate compliance with the CMMC security controls. A CSP may provide some of these controls through the services they provide. However, there is no current audit standard for a “CMMC Cloud” environment. The DoD CIO, which is the governing organization over the CMMC program, has recently published a document (Federal Risk and Authorization Management Program Moderate Equivalency for Cloud Service Provider's Cloud Service Offerings, dated December 21, 2023) stating that Cloud Service Providers must meet “security requirements equivalent to the FedRAMP Moderate baseline and complies with DFARS 252.204-7012 requirements for cyber incident reporting.”  Hypori’s Halo CMMC Cloud SaaS environment has met these requirements.  
 

Q7: Why can’t Commercial customers or DIB Members access FedRAMP or IL5 environments?  

A: Only DOD organizations, also known as Mission Owners, can access any environment authorized under the purview of the DoD Security Requirements Guide (SRG) Cloud Computing (CC) at Impact Level 5.   

Additionally, federal agencies that require CUI protections can access FedRAMP Moderate or High environments depending on their FIPS 199 Categorization. Contractors assigned to support organizations that use FedRAMP or IL5 environments may be granted access to those environments per their contract roles. DIB companies can provide FedRAMP and IL5 Cloud Service Offerings. 

Q8: Does complying with CMMC make any organization more secure? 

A: Absolutely not. The time and effort you spend making sure you are compliant can have little to no effect on your security posture. There are no compliant frameworks today that question how an organization tunes its security operations tool set or procedures to ensure they can find the "bad guys" in their network.cui CMMC is a starting point to have the baseline tools, processes and procedures in place.  However, until these frameworks map capabilities to a threat model like MITRE ATT&CK, we are all just spinning our wheels.  

Q9: Can you provide examples of common misconceptions or confusion surrounding CMMC 2.0, and how can organizations address them? 

A: Common misconceptions surrounding CMMC 2.0 include confusion over whether it is mandatory for all organizations and the level of effort required for compliance. Education and seeking guidance from experienced providers can help organizations clarify these misconceptions and develop effective strategies for achieving and maintaining compliance. Hypori can specifically dive into the complexities of mobile CMMC compliance challenges.  

Q10: How does Hypori facilitate accessing a CMMC-compliant cloud from mobile devices, and what measures are in place to ensure security and compliance on these platforms? 

A: Hypori provides access to our CMMC Cloud environment capable of protecting CUI and supporting organizational CMMC compliance requirements with these controls. The Hypori Halo CMMC Cloud environment is delivered under the exact specifications of our Hypori IL5 SaaS. The Hypori Halo SaaS infrastructure has successfully passed multiple DoD, Commercial and Intelligence Community security reviews. We continually test, audit and conduct external and internal security reviews of our component architecture.  We share these results in our Trust Center here.   

Ready to streamline your CMMC compliance journey?  

Explore our comprehensive solutions tailored for SMBs in 'CMMC Compliance Made Easy for SMBs,' or request a demo today to discover how Hypori Halo can secure your CUI with simplicity, security, and cost-effectiveness. 

Hypori takes cmmc on the road:

CMMC Day Conference - May 6, 2024

Matt will also be presenting “CISO’s Guide to Future-proofing CMMC Mobility Strategy: Real World Use Cases” at CMMC Day taking place at The Hotel at The University of Maryland (The Hotel UMD) in College Park, Maryland at 11:50 am on May 6th in Salon E. Click here to register for this event.