Since its initial announcement in 2019, the U.S. Department of Defense (DoD) has been working to establish a set of cybersecurity standards that all defense industrial base (DIB) contractors must meet. The program, known as the Cybersecurity Maturity Model Certification (CMMC), has undergone multiple evolutions since its introduction, including a transition from CMMC 1.0 to CMMC 2.0 which replaced the five-level model with three progressively more complex levels.
CMMC subjects all DoD contractors that handle controlled unclassified information (CUI) to third-party cybersecurity assessments. These Third-Party Assessor Organizations (C3PAOs) are trained and certified by a CMMC Accreditation Body, a nonprofit organization separate from the DoD. While the CMMC program remains under internal review by the Pentagon, the program remains a priority for countless organizations who will be required to meet these standards before entering into contracts.
According to the DoD, the CMMC requirements will impact more than 300,000 organizations. There are several things to consider to determine if a particular business will need to be CMMC certified.
What Organizations Need CMMC Certification?
CMMC certification is required by any organization in the DoD supply chain, including DIB contractors who exclusively interact with the DoD, as well as all subcontractors. The responsibility of meeting CMMC requirements also extends to managed service providers (MSPs), in addition to managed security service providers (MSSPs) that are at risk of misrepresenting their business or solutions as CMMCasaService offerings. As a result, these businesses may be liable under the False Claims Act (FCA).
What level of certification is needed will depend on the individual DoD contract and whether the organization will be handling CUI or just Federal Contract Information (FCI). Organizations that only produce off-the-shelf commercial products are not typically required to meet any level of CMMC regulations.
If an organization only handles FCI, which refers to information that is generated by the government and not public, the business is required to achieve Level 1 compliance. Organizations that work with CUI, which refers to unclassified and highly sensitive information, must meet Level 2 or 3 depending on the contract and type of information.
Before the release of CMMC 2.0, the CMMC was divided into five separate levels that each required a certain number of cybersecurity controls. In CMMC 2.0, the five levels have been condensed into three comprehensive levels. Here is a look at these three levels and how they compare to CMMC 1.0:
The Three Levels Of CMMC 2.0
CMMC Level 1:
The first level of CMMC 2.0 is known as the “Foundational Cybersecurity” level and applies to organizations that will only be handling FCI. In Level 1, there are a total of 17 controls that cover basic cybersecurity best practices designed to protect FCI and other less sensitive data. Assessment for CMMC Level 1 is typically completed internally and must be performed annually.
CMMC Level 2:
The second level of CMMC 2.0 is called the “Advanced Cybersecurity” level and is a combination of the previous Levels 2 and 3. CMMC Level 2 is designed for organizations that will be working with CUI. Requirements under Level 2 align with NIST SP 800-171 standards and consist of 110 cybersecurity practices. Level 2 assessment is a combination of self-assessment and third-party assessment requirements, depending on the type of handled information. Assessments are performed every three years.
CMMC Level 3:
The third and final level of CMMC 2.0 is referred to as the “Expert Cybersecurity” level and contains requirements from CMMC 1.0 Levels 4 and 5. This is the highest level of CMMC certification and focuses on protecting CUI within the DoD’s most high-priority programs. Level 3 is designed to defend against advanced persistent threats (APTs) and includes 110-plus controls, including some NIST SP 800-172 standards. This level requires a government-led assessment that occurs every three years.
How Can An Organization Get CMMC Certified?
The CMMC Accreditation Body suggests that organizations start planning at least six months in advance of the date that they need to produce certification for DoD bids if they wish to become CMMC certified. One of the best ways to ensure that an organization is meeting CMMC requirements is to perform a self-assessment before scheduling a formal CMMC assessment with a C3PAO.
A C3PAO can assist in the process by providing valuable advice, scheduling assessments, training individuals within the organization, and reviewing evidence with the CMMC Accreditation Body Quality Auditors. An initial self-preparation for CMMC should consist of determining the proper compliance level to meet, the information handled by the business, and the scope of the assessment. Organizations should also review the assessment guide and any other supporting documentation, as well as perform a gap assessment.
Inquire About NYC Managed IT Services
Remaining compliant with CMMC IT security standards can help DIB contractors win lucrative contracts. For more information about how to determine if an organization needs CMMC certification or for assistance meeting cybersecurity requirements, contact the IT professionals at SeaGlass Technology.