The Cybersecurity Maturity Model Certification (CMMC), developed by the Department of Defense (DoD), is a cybersecurity framework that combines requirements and standards to measure the cybersecurity maturity of the defense supply chain.
The DoD released the first version of the framework in January 2020. Over the next several years, contractors and subcontractors that process federal contracting information (FCI) or controlled unclassified information (CUI) will be required to acquire CMMC certification to prove that their systems meet the proper cybersecurity level that aligns with their DoD contracts.
The Defense Industrial Base (DIB) has always been required to implement security measures to protect the confidential government data that it stores and uses on its networks. These security requirements are continuously changing and have gradually transitioned from basic safety requirements to compliance of entire frameworks like NIST 800-171.
Anyone who plans to work with the DoD or enter into future government contracts must prepare to comply with CMMC. Learn more about Cybersecurity Maturity Model Certification, what it entails, and who is required to comply.
CMMC Maturity Model And Levels
A maturity model is used to measure a business’s capability to improve and progress in a particular area. CMMC maturity models include a set of best practice cybersecurity processes and outlines cybersecurity capabilities held by businesses at various maturity levels.
CMMC includes a total of 171 practices spread across five levels. Each level identifies the maturity of a contractor’s cybersecurity practices, processes, and infrastructure. CMMC levels are cumulative, meaning they build upon the previous level. To achieve level 3 compliance, certification must be met for levels 1 and 2 and to achieve level 4 compliance, certification must be met for levels 1, 2, and 3.
The five CMMC maturity levels include the following:
- Level 1 – Known as “basic cyber hygiene,” CMMC level 1 includes 17 security controls and requires organizations to safeguard federal contract information.
- Level 2 – Known as “intermediate cyber hygiene,” CMMC level 2 includes 46 security controls and serves as a transition step in the progression to level 3 and focuses on protecting CUI.
- Level 3 – Known as “good cyber hygiene,” CMMC level 3 has 47 security controls and requires organizations to have strict security practices and policies to protect CUI.
- Levels 4-5 – Known as “advanced/progressive,” CMMC levels 4 and 5 have 4 security controls and require businesses to protect CUI and decrease the risk of advanced persistent threats (APTs).
Who Must Comply With CMMC?
One of the most common questions asked by individuals who are new or unfamiliar with CMMC is: Who needs to comply with CMMC? The answer is all DoD contractors. Anyone within the defense contract supply chain must comply with CMMC, including contractors who directly engage with the DoD and subcontractors who are contracting with primes to execute or fulfill contracts.
The DoD recently announced that CMMC will apply to more than 300,000 organizations. The majority of companies will need to reach certification between levels 1 and 3 to be eligible for government contracts. Organizations that are impacted by CMMC include small businesses, commercial items contractors, DoD supply chain and foreign suppliers.
The DoD has teamed up with the CMMC Accreditation Body (CMMC-AB) to create and implement procedures to validate and certify independent third-party assessment organizations (C3PAOs). Assessors are responsible for evaluating the CMMC levels of contractors and subcontractors. If an organization can prove that they have complied with a certain level of certification, it will receive certification. Any contractor doing business with the DoD must meet the minimum CMMC requirements of level 1.
Why Is CMMC Important?
The CMMC maturity model encompasses several cybersecurity frameworks, standards, and references designed to protect unclassified information from cybercrimes. It aims to protect FCI, which is information provided or generated by the government that is not intended for public release. It also includes CUI which is information that requires protection from unauthorized personnel.
According to the FBI, the annual cost of cybercrime in the U.S. exceeds $3.5 billion. However, the actual number is expected to be much higher as many cyber activities go unnoticed by organizations. To safeguard against these growing threats, the DoD is actively working to protect sensitive data and minimize the risk of future data breaches. Enforcing all DIB contractors to comply with CMMC as a mandatory requirement is expected to help enhance the protection of FCI and CUI.
Schedule A Consultation With SeaGlass Technology
An initial pilot phase of CMMC began in 2021, but the remaining requirements are expected to roll out over a period of five years. DIB contractors who wish to be awarded new government contracts in the future will first be required to get certified. To learn more about CMMC and who needs to comply, reach out to the experienced NYC IT services providers at SeaGlass Technology today.