Back to blog

How SMBs can meet CMMC requirements

Although many primary defense contractors have been preparing for Cybersecurity Maturity Model Certification (CMMC) compliance, smaller channel partners may be starting their journey now. For many small and mid-size businesses (SMBs), CMMC requirements can feel overwhelming. What are the 5 levels of CMMC? Instead of creating a prescriptive model, the CMMC offers a “maturity model.” […]

Published: November 26, 2020, by David Driggers

Although many primary defense contractors have been preparing for Cybersecurity Maturity Model Certification (CMMC) compliance, smaller channel partners may be starting their journey now. For many small and mid-size businesses (SMBs), CMMC requirements can feel overwhelming.

What are the 5 levels of CMMC?

Instead of creating a prescriptive model, the CMMC offers a “maturity model.” For SMBs, this approach can be equally helpful and stressful. From a compliance standpoint, the maturity model allows for differences in IT complexity, staffing, and risk. Simultaneously, since the Department of Defense (DOD) has released little guidance, many subcontractors find themselves struggling to define their CMMC level.

The CMMC establishes 5 different levels:

  • Level 1: Performing best practices for cyber hygiene but often on an “ad hoc” basis
  • Level 2: Documenting processes for consistency as intermediate cyber hygiene
  • Level 3: Managing processes for good cyber hygiene programs.
  • Level 4: Reviewing and measuring activities for a proactive cybersecurity program
  • Level 5: Optimizing and standardizing processes across the organization for an advanced/progressive cybersecurity program

Each level consists of a set of policies and processes necessary for proving cyber hygiene. For example, Level 1 recognizes that smaller organizations may be securing data but doing so without formal policies or processes. Meanwhile, Level 5 requires a sophisticated approach to managing and continuously iterating cybersecurity processes.

What is the difference between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)?

CMMC works like a sliding scale with each level adding another layer of policies and processes. Additionally, the CMMC slowly scales the types of data that an organization needs to protect and the controls around that data. Before knowing your CMMC level, you need to identify all data connected to your contract and understand the different controls necessary.

Federal Contract Information (FCI)

The National Archives defines FCI as:

information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

FCI is information not intended for public release that you manage as part of your contract activities. For example, FCI can include information in emails, on thumbdrives, or shared in messaging applications.

Controlled Unclassified Information (CUI)

Meanwhile, the National Archives defines CUI as:

information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.

CUI requires additional safeguards because the data falls under more traditional definitions of “sensitive data” as understood by current cybersecurity and privacy regulations. For example, CUI includes non-public personal information, financial information, IT security data, law enforcement documentation, and patents.

How do I know what my CMMC level is?

Once you have identified the types of data you collect, transmit, and store as part of your contract, you need to align with the different levels.

For example, the first three levels focus on your cybersecurity program’s formality and on the types of information that you store, transmit, and collect.

  • Level 1: Safeguard Federal Contract Information (FCI)
  • Level 2: Acts as a transition step with the beginning of Controlled Unclassified Information (CUI) protections
  • Level 3: Safeguard and Protect both FCI and CUI

FCI covers nearly all the information about the work you’re doing to meet your contractual obligations. Meanwhile, CUI is focused on the type of protected data. So while FCI may be a broader term, the controls necessary may be less robust.

For example, if you’re writing an email to your government contact, then you need to protect that as FCI. However, if that email contains data that would be protected under other laws, such as birthdate or social security number, then it includes CUI which needs to be protected with additional controls.

The short answer is that nearly all subcontractors will need to meet Level 2 or Level 3 compliance.

How does NIST SP 800-171 help meet CMMC compliance requirements?

For organizations that need to meet Level 3 compliance, CMMC suggests the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as a governing control set.

NIST 800-171 sets out a list of security requirement families:

  • Access control
  • Awareness and training
  • Audit and accountability
  • Configuration management
  • Identification and authentication
  • Incident response
  • Maintenance
  • Media protection
  • Personnel security
  • Physical protection
  • Risk assessment
  • Security assessment
  • System and communications protection
  • System and information integrity

Within each security requirement family, the SP lists basic security requirements and then adds “derived security requirements” which go into further depth. The basic security controls align with the Federal Information Processing Standards (FIPS) Publication 200 while the derived security requirements that supplement these basic standards come from NIST SP 800-53.

For example, a basic security requirement for access control is to limit system access to authorized users, processes acting on behalf of users, and devices. However, as part of maintaining these access controls, the derived security requirements list includes controls like segregation of duties and limiting unsuccessful logins, among others.

NIST 800-171, therefore, acts as a short-hand for bringing together FIPS Publication 200 and NIST SP 800-53 in a single document to help determine not only the high-level categories of controls but suggestions for best practices as you develop specific IT security controls.

CMMCplus Works with SMBs So They Can Meet CMMC Requirements

CMMCplus works with primes and their subcontractors to help streamline the CMMC compliance process. Our platform can help you identify your CMMC level with an easy-to-use self-assessment process. After completing the self-assessment, you can use the platform to engage in a gap analysis by filling in the controls you already have in place, then comparing the current control landscape to what your CMMC level requires.

Additionally, we work with partners who can help you meet the audit requirements associated with CMMC as part of our marketplace. CMMCplus was created specifically for SMBs who work as subcontractors so that they can attain the necessary level of compliance without being overwhelmed.

For better visibility into your current readiness state, try our free gap assessment tool.


Conduct a Free Gap Assessment Now!

Begin the process of increasing your competitive advantage
by maturing your security posture with our Free Assessment Tool