February 20, 2024

Automate CMMC 2.0 Requirements: Everything You Need to Know to Stay Compliant

Security & Compliance

CMMC 2.0 requirements are here — and The Cybersecurity Maturity Model Certification (CMMC) is mandatory for organizations involved in the Defense Industrial Base (DIB). Established by the Department of Defense, this framework outlines strict cybersecurity standards, aiming to safeguard Controlled Unclassified Information (CUI) throughout for contractors and subcontractors of the Department. 

We’ll explore what you need to know about the changes for CMMC 2.0, and provide you with a strategy to automate compliance and pass audits 

Table of Contents: 

What are CMMC 2.0 Requirements? 

Announced in November 2021, CMMC 2.0 is the latest version of the Department of Defense’s cybersecurity guidelines to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

 CMMC 2.0 includes cybersecurity standards and best practices that are intended to: 

  • Protect warfighters' sensitive data specific to any contracts with a CMMC DFARS clause. 
  • Strengthen a Defensive Industrial Base (DIB)’s cybersecurity by continuously improving security measures. 
  • Simplify compliance with Department of Defense (DoD) requirements to make following the rules easier. 
  • Promote a collaborative cybersecurity culture to encourage knowledge sharing within the DIB. 
  • Earn public trust through ethical practices that make it clear security is non-negotiable. 

CMMC 2.0 Maturity Levels 

Here is what you can expect at each certification level: 

Level 1: Foundational

Level 2: Advanced

Level 3: Expert

  • Focuses on basic security practices, like password changes. 
  • Protects Federal Contract Information (FCI), defined as non-public information generated for government contracts. 
  • This level requires demonstrating practices like access control and malware protection. 
  • Safeguards Controlled Unclassified Information (CUI), a broader category than FCI. 
  • This level adheres to all NIST 800-171 r2 security requirements, which specify comprehensive security controls. 
  • Must have a documented and enforced cybersecurity program. 
  • Detects and responds to evolving tactics used by advanced threats. 
  • This level requires capabilities like continuous monitoring, advanced threat detection tools, and incident response preparedness. 
  • Must maintain a proactive cybersecurity posture. 

17 Total Practices 

110 Practices 

110+ Practices 

To ensure compliance at each of these levels, organizations are expected to conduct an annual self-assessment (for Level 1), receive a triennial third-party assessment (Level 2), or a triennial government-led assessment (Level 3). 

What’s the Difference Between CMMC 2.0 and CMMC 1.0? 

CMMC 2.0 builds on the current program requirements and is more streamlined, reliable, and includes more flexibility than the first iteration of CMMC 1.0. 

There are a few reasons why changes were made to CMMC, outlined on the Department of Defense website. To summarize: 

  • The model was streamlined from 5 levels to 3 levels of compliance. 
  • Companies at Level 1 can demonstrate compliance through self-assessments. 
  • Certification is more flexible and can be achieved through Plans of Action & Milestones (POA&Ms). 
  • The Government can waive inclusion of CMMC requirements under certain circumstances. 

Why Automate CMMC 2.0 Compliance? 

Manual compliance and remediation are time-consuming, error-prone processes. We’ll use a case study from a Puppet customer as an example, working within the energy space as a U.S. government agency. With manual enforcement, they were only able to achieve 30% compliance — with automation, this jumped up to 98%. 

Automation makes compliance easier, can save you time, and ultimately save you money. We’ll list out a few benefits before jumping into specific items that can be automated to meet CMMC 2.0 requirements: 

  • Efficiency: When you automate repetitive tasks like control testing, evidence collection, and reporting, your team has more time to accomplish other, more strategic tasks. 
  • Accuracy: Automation helps eliminate human error in data collection and reporting — helping you prepare for an audit you can be confident about. 
  • Visibility: Using Puppet Comply can help you gain instant insights into your compliance status and stay proactive. 
  • Cost Savings: Reduce manual workload and dramatically shorten your audit and remediation activities at scale, saving valuable resources. 

With 110+ practices to manage and maintain compliance at Level 2 and 3, automating where possible can help you stay on top of everything while avoiding compliance drift

How to Start Automating CMMC 2.0 Requirements 

Before you plan to automate using a platform like Puppet, you’ll need to understand the appropriate Level of CMMC requirements that apply — and you should already have a good understanding of what your security plan has in place in its current state. 

From there, you’ll want to: 

  1. Identify Key Controls: Analyze CMMC requirements and understand the controls that are relevant based on your Level. 
  2. Choose the Right Modules: Explore the Puppet Forge to find modules that support your targeted controls. 
  3. Build Your Automation Code: Using Puppet manifests (AKA scripts), you can define the desired state for your systems based on the chosen modules and CMMC requirements. 
  4. Implement and Test: Deploy your Puppet code across your infrastructure and regularly test to make sure it enforces compliance. 
  5. Refine and Monitor: Continuously monitor compliance posture, refine your automation as needed, and adapt to evolving CMMC requirements. 

Puppet can help you get compliant with CMMC 2.0 requirements and stay that way with automation — saving you time and ensuring accuracy before any assessment. 

See how Puppet works with a customized demo for your specific industry needs: