The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to implement cybersecurity practices and policies for contractors throughout the Defense Industrial Base (DIB).
The loss of Controlled Unclassified Information (CUI) from the DIB has resulted in an increased risk to national security and the economy. To reduce this risk, the DoD has taken the necessary steps to enhance the protection of CUI by requiring federal contractors to meet the appropriate levels of cybersecurity processes and practices as outlined in the CMMC model.
Requirements of CMMC certification are dependent on each level of certification. Each level adds upon the requirements of the level before it, meaning contractors with a Level 3 target are also required to meet the requirements of Levels 1 and 2. Across all five levels of CMMC, certification requirements include a total of 43 capabilities that span 17 domains, five processes that measure process maturity, and 171 practices used to detect technical capacity.
To identify what CMMC level a particular defense contractor must meet, it is important to fully understand all five levels and what type of information the organization manages. Learn more about these five levels and how to become CMMC compliant.
CMMC Certification Levels
CMMC levels range from Level 1, the lowest level, to Level 5, the highest and more advanced level. Here is a more in-depth look at these levels and what they entail.
CMMC Level 1 requires defense contractors to apply basic cyber hygiene which requires them to meet basic safeguarding requirements found in 48 CFR 52.204-21. This level establishes a foundation for the higher levels of the framework and is required to be completed by all certified companies. Level 1 focuses on the protection of federal contract information (FCI), although process maturity is not accessed for this level.
Level 2 of CMMC requires contractors to meet intermediate cyber hygiene. This transitional level consists of a more advanced set of practices that allow businesses to better protect their assets against cybersecurity threats. This level contains a subset of requirements specified in NIST SP 800-171, as well as other practices from references and standards. At CMMC Level 2, businesses are expected to create and document standard operating policies, procedures, and plans for the implementation of an effective cybersecurity program.
Contractors that have met Level 3 CMMC compliance have demonstrated good cyber hygiene and a basic ability to protect and manage a business’s CUI and assets. However, organizations at this level may still encounter some problems defending against advanced persistent threats (APTs). Level 3 focuses on the security requirements found in NIST SP 800-171, in addition to 20 other practices that help mitigate threats.
Level 4 requires an organization to have a proactive and substantial cybersecurity program in place. This level focuses on the protection of CUI from APTs and includes a subset of security requirements from NIST SP 800-171B, as well as other cybersecurity best practices. CMMC Level 4 practices enhance the identification and response of a contractor to respond and adapt to various techniques and tactics leveraged by APTs.
Once an organization has reached CMMC Level 5, it has achieved the creation of an advanced or progressive cybersecurity program that has successfully demonstrated the ability to block advanced persistent threats. The extra practices found at this level are designed to improve the sophistication and depth of an organization’s cybersecurity capabilities.
Determining What CMMC Level To Comply With
Defense contractors are only required to comply with CMMC requirements that are necessary to protect the type of information that they are responsible for handling. Contractors who fall at the bottom of the supply chain will likely be required to certify at Level 1, while contractors that have access to sensitive military base construction projects may be required to certify at Levels 4 or 5.
To determine what level a DoD contractor must work towards achieving, start by inventorying all systems to determine where CUI and FCI data is stored and how it is managed. Conduct a readiness assessment to further determine how this data is accessed and controlled. Finally, a gap analysis can help organizations identify what requirements need to be met to achieve compliance with their target CMMC level.
Unless a contractor is at the bottom of the supply chain, they can assume that they will need to meet at least Level 3 compliance. Consider if the organization receives, creates, or processes CUI, which typically means they need to meet Level 3 or above. Contractors that handle high-value assets (HVA) may need to meet Levels 4 or 5.
Contact SeaGlass Technology
Determining how to identify your target CMMC level and become CMMC compliant can be challenging. To learn more about CMMC compliance, reach out to SeaGlass Technology for expert NYC managed IT services.