Background Image
 
Request a Demo
Claroty Toggle Search
Return to Blog

How to Evaluate the CMMC Phase 2 Compliance Pause

/ / 6 min read
Featured image for our blog: How to Evaluate the CMMC Phase 2 Compliance Pause

The U.S. Department of Defense (DoD) slammed the brakes on the Cybersecurity Maturity Model Certification (CMMC) Phase 2 requirements on Monday, citing a need to lower barriers to entry for smaller innovative technology contractors, reduce bureaucracy—and compliance costs—and speed up the introduction of new capabilities to the defense industrial base (DIB). 

Phase 2, set to begin in November, would have required that accredited third-party auditors known as third-party assessment organizations (C3PAO) would determine whether DIB contractors were up to snuff on their compliance with NIST 800-171 and other related cybersecurity standards. 

While Phase 2 is on pause, this does not spell the end of CMMC, nor does it relieve contractors and subcontractors from ensuring the security of controlled unclassified information (CUI) and federal contract information (FCI). These third parties, key to the functioning and continuity of the DIB, must continue to self-attest the implementation and enforcement of basic security hygiene controls in their environment. 

DoD Chief Information Officer Kirsten A. Davies made this clear in her announcement of the pause, which also included the announcement of a 60-day review of CMMC, putting its future up in the air as the department aims to reduce or eliminate CMMC’s high compliance costs and administrative burdens on small businesses looking to do business with the DoD. The evaluation also puts a pause on future CMMC milestones, Davies said. 

Davies, meanwhile, stressed that operational resilience through cybersecurity remains a priority for the DIB, but that it can be achieved with less red tape. 

In this blog, we’ll provide an overview of:

  • CMMC compliance mandates on the DIB supply chain

  • How NIST SP 800-171 impacts CPS protection

  • Why Claroty’s compliance capabilities can help ongoing CMMC compliance

What is CMMC Compliance?

CMMC was designed to protect FCI and CUI as it is handled and stored by the DIB supply chain. All DoD contractors and subcontractors are subject to CMMC compliance; CMMC formalizes compliance with standards such as NIST SP 800-171, which outlines controls meant to protect sensitive unclassified information from adversaries. 

CMMC certification is a mandate for businesses bidding on DoD contracts. There are three phases of maturity based on the sensitivity of data being handled.

  • Phase 1: Requires annual self assessments that ensure foundational cyber hygiene controls are implemented and enforced. 

  • Phase 2: Mandates strict protocols that align with NIST standards; third-party assessments are typically required to ensure compliance

  • Phase 3: Government-led assessments are required at this level; here, companies handling extremely sensitive data must implement high levels of cybersecurity controls. 

Phases 2 and 3 have been suspended as of this week; Phase 2 requirements would have begun in November and Phase 3 in November 2027. 

How the Phase 2 Suspension Impacts CPS 

In short, Phase 2 suspension means that third-party certification requirements in new DoD contracts are no longer required. CMMC, for the time being, is not going away, and organizations must self-attest to Phase 1 compliance to standards such as NIST 800-171, a framework designed to protect CUI confidentiality.

NIST 800-171 also extends to FCI and CUI within operational technology (OT) and cyber-physical systems (CPS). A number of OT and CPS security practices are called out in the NIST standard, including limiting access to OT and CPS through segmentation. It spells out that critical process networks must be isolated from corporate networks. Other controls such as multifactor authentication are required for human-machine interfaces (HMIs) and for engineering workstations that upload and download process data and commands from programmable logic controllers (PLCs). 

Secure remote access to OT assets is also a mandate under NIST 800-171, through the use of purpose-built solutions or restriction of unauthenticated traffic via the firewall. Real-time threat detection and network monitoring are also in the standard as a means of  identifying asset behavior anomalies, or the introduction of malicious commands. Compensating controls are also outlined for legacy technologies that remain core to OT in several critical industries such as manufacturing. 

A Federal News Network article published on Monday said that this is not the first challenge to the high costs of CMMC compliance. The phased-in implementation was introduced by the Biden administration, which conducted its own CMMC review that ultimately imposed the third-party assessment requirements on fewer contractors. The phases also would give contractors more time to prepare for the respective requirements. 

How Claroty Can Help

The Phase 2 suspension does not mean that CUI protection is a thing of the past, nor that NIST 800-171 compliance is optional for contractors and subcontractors who handle and store unclassified information. Phase 1 self-assessments remain intact and third parties must sign and affirm their implementation and enforcement of foundational controls. 

Claroty can help support your organization’s CMMC compliance efforts. Claroty xDome as well as our on-premises Claroty Continuous Threat Detection (CTD), and Claroty Secure Access are a complete solution to meet the aforementioned NIST 800-171 domains with the following capabilities:

  • Access Controls: Claroty controls network access to regulate and monitor internal and third party remote activities across the network. This includes tiered user access, multi-factor  authentication, strict password rules, virtual network segmentation, and network traffic monitoring, and secure-by-design remote network access. 

  • Asset Management: Claroty has the industry’s broadest protocol coverage to support its active and passive collection capabilities. We provide a full inventory of all CPS assets and their accompanying risks and vulnerabilities. With these methods Claroty is capable of providing the most comprehensive CPS visibility and asset management controls.

  • Zero Trust Segmentation and Secure Access: Network segmentation and secure remote access are zero trust controls that distinguish legitimate communication across business processes and applications. Claroty jumpstarts network segmentation programs by automatically creating and simulating policies that can be enforced through existing infrastructure. 

  • Auditing and Accountability: Claroty has introduced CPS Compliance Mapping into its xDome platform hoping to ease some of the complexity around compliance alignment and reporting. The new feature consumes asset telemetry collected by the platform to provide a current state of compliance related to CPS assets and enabled frameworks. NIST 800.53 has a direct “push button” report for our clients.

xDome continuously applies logical rules across your environment. It utilizes live, native platform telemetry, such as device attributes, threat alerts, MDS2 documents, and vulnerabilities, to automatically calculate compliance statuses across all enabled frameworks.

The pause on CMMC Phase 2 aims to cut down on red tape potentially hindering protection of critical data handled by contractors and subcontractors. While the pause has its merits, it’s important to recall that cybersecurity is not on the backburner for organizations that must be compliant. Basic hygiene requirements are still in place, and organizations must still self-attest to their compliance. 

Reach out for a demo and learn more about CMMC compliance capabilities.

Interested in learning about Claroty's Cybersecurity Solutions?

Background Image

Life, uninterrupted

We maximize your availability, strengthen your insurability, and support compliance to ensure operational resilience.

Claroty
LinkedIn Twitter YouTube Facebook