What Are the Different CMMC Levels
In January 2020, the first version of the Cybersecurity Maturity Model Certification (CMMC) framework was released. Intended to create a standardized approach to cybersecurity for organizations who contract with the United States Department of Defense (DoD), the CMMC will be applied to all companies in the defense industrial base (DIB) supply chain, including suppliers who […]
In January 2020, the first version of the Cybersecurity Maturity Model Certification (CMMC) framework was released. Intended to create a standardized approach to cybersecurity for organizations who contract with the United States Department of Defense (DoD), the CMMC will be applied to all companies in the defense industrial base (DIB) supply chain, including suppliers who subcontract through larger defense equipment manufacturers. Depending on where your organization sits in the DIB supply chain, your compliance requirements may differ from those of larger “prime” contractors which is why understanding the different CMMC levels before beginning the road to certification can help you scope your project.
When will CMMC compliance become a requirement?
At present, Under Secretary of Defense for Acquisition and Sustainment Ellen Lord indicated that the DoD will only require certification for new contracts, not those already in progress. She also explained that she wants to prevent compliance from burdening small and medium-sized businesses (SMBs) because they provide innovative technologies.
Currently, the CMMC website is vague on the details. The CMMC Accreditation Body (CMMC-AB) website notes that details of the provisional CMMC 3rd Party Assessment Organization (C3PAO) program were released in July 2020. However, some specific dates might give more insight into when you can expect to see the DoD and primes looking for certification:
- June 2020: Requests for Information (RFIs) will start to incorporate CMMC requirements
- September 2020: Requests for Proposals (RFPs) will start to incorporate CMMC requirements
- October 2020: DoD contractors will need certification from an accredited Assessor or C3PAO to bid on new work
- 2026: last of current contracts will be renewed bringing all contractors into compliance
Additionally, Lord appears to be optimistic that prime contractors will help their subcontractors meet the appropriate CMMC level.
Understanding the Different CMMC Levels
CMMC certification applies to any company that manages Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). FCI includes information provided by or generated for the Government under contract not intended for public release. CUI is information that falls under Executive Order 13526, Classified National Security Information, meaning that a company needs to prevent it from being disseminated, such as through a data breach.
At the strictest level, Level 5, CMMC consists of 17 domains with 43 associated capabilities, mostly taken from the Federal Information Processing Standards (FIPS) Publication 200 and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. However, it also incorporates three additional domains of Asset Management, Recovery, and Situational Awareness.
Each level incorporates two elements: processes and practices. As a maturity model, this means that each different level adds new elements to both the processes and the practices required to be considered compliant.
CMMC Level 1: Performed Basic Cyber Hygiene
At this level, you need to make sure that you’re focused on protecting FCI and meeting the “Basic Safeguarding of Covered Contract Information Systems” requirements. Since CMMC assumes that your organization is performing practices in an ad-hoc manner, no process maturity assessment needs to be done.
CMMC Level 2: Documented Intermediate Hygiene
At this level, you need to start creating and documenting practices and policies. As you continue to mature your cybersecurity program, documentation standardizes practices for repeatable outcomes. As a bridge between Level 1 and Level 3, this level incorporates several security requirements specified in the NIST SP 800-171. As a bridge to Level 3, this level begins to reference CUI as well as FCI.
CMMC Level 3: Managed Good Cyber Hygiene
To meet the requirements for this level, you need to have a fleshed-out cybersecurity program, even if its in the early stages. You need to not only establish and maintain a plan showing how you will manage cybersecurity, but you also need to provide the resources necessary to implement the plan and associated activities. Some elements to consider include missions, goals, project plans, resourcing, training, and internal stakeholder communication.
As another step in creating a robust cybersecurity program, this level focuses on protecting CUI, including all of NIST SP 800-171 security requirements. It also brings in additional standards and references for best practices that mitigate security threats. Finally, going a step beyond even NIST SP 800-171, Level 3 includes requirements such as those in Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.
CMMC Level 4: Reviewed Proactive Cybersecurity
With Level 4, you need to go beyond creating a program and move into measuring how well your controls secure information. You need to establish baselines, key performance indicators, and take corrective actions. Level 4 also moves into the arena of protecting CUI from advanced persistent threats (APTs) such as malware running in the background or credential theft that allows a cybercriminal to sit in your system without your knowledge. In short, at this point, you need to move into a process of continuous monitoring, detection, remediation, and documentation.
CMMC Level 5: Optimizing Advanced/Progressive Cybersecurity
Level 5, the highest level achievable, is the gold standard, seemingly intended primarily for primes. You need to standardize and optimize your processes across the organization. Focusing on protecting CUI from APTs, this level focuses on evolving a program’s depth and sophistication.
Determining the Right Level for Your Company with CMMCplus
The first step to meeting CMMC compliance is knowing your organization’s level and how to scope out the systems, networks, and applications that need to be secured. The second step is finding the right controls that match your maturity level.
Not all contractors and subcontractors will need to meet some level of CMMC compliance, but the most important step will be knowing which level is right for you. CMMCplus was created to helpSMBs struggling to meet what can be an overwhelming compliance requirement so that you can attain the certification necessary without going beyond your company’s individualized needs.
Our platform provides an easy-to-use guide for determining your CMMC level and engaging in a gap analysis. We also work to connect companies with the right partners to help them achieve compliance.
If you’re interested in learning more about how our firm can help your organization, contact us today.