The Cybersecurity Maturity Model Certification (CMMC) is a set of standards created by the Department of Defense (DoD). The goal of these standards is to help ensure contractors and subcontractors are compliant with DoD cybersecurity regulations.
However, before defense contractors can meet compliance regulations they need to understand CMMC standards. With three levels, it’s easy to feel a little overwhelmed. Thankfully, navigating the levels of CMMC compliance is relatively easy once you have a basic understanding.
A Brief Look at the Three CMMC Levels
Okay, so before you start panicking and try to figure out how to meet all three levels, take a deep breath. Most defense contractors only need to meet one level. Which level applies to you? This depends on what’s specified in your DoD contract.
If you’re wondering if the levels build off of each other, the answer is yes. This means if you’ve achieved Level 1 compliance and a new DoD contractor requires Level 2 standards, you’re already on your way to meeting the new regulations. So, what’s involved with each CMMC level? Here’s a quick look at each one.
CMMC Level 1
This is the foundational level, you know the one you build off of. As the basic maturity level, it requires your business to have basic cyber security protocols in place. These practices must protect Federal Contract Information (FCI). This is information that’s eventually released to the public so cybersecurity protocols aren’t as rigid as with the other two levels.
What are examples of FCI? This can include emails exchanged with others in the government’s supply chain or delivery schedules. Since basically every DoD contract contains FCI, you should expect Level 1 compliance requirements as the norm and not as an exception.
You can find a complete list of Level 1 compliance requirements in the Federal Acquisition Regulation (FAR) 52.204-2. This list includes implementing cybersecurity protocols across:
- Access Control
- Authentication and Identification
- Media Protection
- Physical Protection
- Communication and System Protections
- Information and System Integrity
CMMC Level 2
As you’d expect, Level 2 compliance is a little more advanced. After all, your business is dealing with Controlled Unclassified Information (CUI). Yes, it sounds impressive and this is information your business is required to protect from cyber attacks under federal law.
Some examples of CUI can include research data used by the military or even NASA. Technical orders and engineering drawings can also be considered controlled unclassified information.
To meet the compliance standards for CMMC Level 2, your organization must show it’s capable of securely storing, managing, processing, and transmitting CUI. Your cybersecurity protocols must meet NIST SP 800-17 requirements. NIST covers 14 protocols that include the 6 required for Level 1 compliance.
When it comes to meeting Level 2 objectives, it can be intense. There are over 100 objectives your business needs to meet.
CMMC Level 3
If you need CMMC Level 3 compliance, chances are your business is dealing with classified information. Often referred to as the Expert Levels, very few businesses will need to take their cybersecurity approaches to this extreme. This is simply because only a few DoD contractors have access to this privileged and sensitive information.
However, if you’re fortunate enough to be awarded a Level 3 DoD contract, you’ll need to meet rigid and robust cybersecurity protocols. In other words, there’s no room for mistakes in your cybersecurity practices.
So, what type of information are you dealing with? Your company may be working on designs for a nuclear submarine or developing a new fighter jet. Your business is typically working directly with the DoD or another top-level contractor. The supply chain is typically small to help ensure that proprietary information is protected.
To meet CMMC Level 3 standards, you’ll need to go through Levels 1 and 2. Yes, it’s time-consuming but it’s also necessary if your DoD contract specifies CMMC Level 3 compliance. Along with meeting Level 1 and 2 standards, Level 3 has 20 additional controls, which all means that there are around 130 controls your business needs to meet.
You’ll also need to go through an independent every three years you have the DoD contract.
Achieving CMMC Compliance
Achieving CMMC compliance is something all businesses must accomplish to work on DoD contracts. The level of compliance required depends on the specifics of your contract, but you should plan on meeting at least Level 1 regulations. However, it’s a good idea to go ahead and meet Level 2 regulations since this is the most common standard.
If you’re feeling overwhelmed, try breaking the controls into more manageable phases. Not only is this a little less stressful but it can also be more cost-effective in the long run.
