The Department of Defense (DoD) is migrating to a new CMMC framework to properly assess and improve the cybersecurity posture of the Defense Industrial Base (DIB). The Cybersecurity Maturity Model Certification (CMMC) framework was created to act as a verification mechanism to enforce the implementation of appropriate cybersecurity processes and practices among DIB companies and to keep Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) protected.
Unlike NIST SP 800-171, the CMMC framework consists of five levels. Practices start at level 1 (basic cyber hygiene) and end at level 5 (advance/progressive). CMMC level 2 focuses on intermediate cyber hygiene, which contains a more advanced set of practices compared to level 1. This level also introduces the model’s process maturity dimension. Once a company reaches CMMC level 2, it is expected to establish and document standard operating policies and procedures for their cybersecurity program.
CMMC level 2 is essentially a bridge from level 1 to level 3. The majority of DoD defense contracts require a contractor to meet level 1 requirements or will jump to level 3. However, before reaching level 3, a contractor will need to address several additional controls. With help from an experienced IT security compliance firm like SeaGlass Technology, companies can better understand what risks they face and take the proper steps to protect against these threats and meet CMMC compliance requirements.
Meeting CMMC Level 2 Requirements
In CMMC level 1, there are no processes or ‘maturity’. However, level 2 features two processes intended to establish a policy around each CMMC domain. Level 2 also adds an additional 55 practices to the 17 that exist in level 1 for a total of 72 controls. Although the DoD has announced that there will be no defense contracts that require CMMC level 2, these practices are still important and the requirements should be met whenever possible.
Level 1 of the CMMC introduces the protection of Controlled Unclassified Information. It also focuses on the protection of Federal Contract Information. Through CMMC level 2 compliance, companies can demonstrate that they are effectively managing, documenting, reviewing and optimizing their cybersecurity practices across the organization. However, due to the cybersecurity limitations of CMMC level 2, contractors should not store or transmit CUI until they have reached level 3 compliance.
CMMC level 2 is an excellent stepping stone towards level 3, and indicates proper cybersecurity hygiene and maturity. The CMMC Accreditation Body and DoD have never stated that businesses cannot be certified at CMMC level 2, meaning that companies that are not yet able to reach level 3 requirements may still receive CMMC level 2 certification. Defense contractors are typically required to go through certification every three years, allowing them ample time to reach a higher level of maturity.
Learn More About Our CMMC Level 2 Compliance Services
CMMC compliance is an essential issue for all defense contractor organizations. Unfortunately, many companies struggle with meeting compliance. SeaGlass Technology offers a comprehensive CMMC compliance solution for organizations in need of CMMC compliance services. For more information or to schedule a consultation with an IT security expert, contact SeaGlass Technology.