Cyberattacks executed on Department of Defense (DoD) supply chains are concerns for national security. As a result, obtaining the Cybersecurity Maturity Model Certification (CMMC) is required for defense contractors to bid on DoD contracts. If companies are not CMMC certified or don’t have the right level of certification for a specific contract, they cannot bid. Indeed, the CMMC holds third parties accountable and keeps the defense supply chain safe. To be prepared and able to accept DoD contracts, companies must understand and achieve the CMMC level most appropriate for them.
The particular contract a company holds with the federal government dictates what CMMC level they need. Contractors must hold that level throughout the duration of the contract. Additionally, if an organization holds multiple contracts with varying levels of CMMC, it must maintain the highest level for the entire contract.
This certification is not a one-time achievement, nor is it a one-size-fits-all model – it is a continuing effort. There are three levels within the CMMC, each more stringent than the tier below it. Not all contractors must obtain the highest CMMC level (3). In fact, most will be required to achieve Level 2, but others need to reach a higher certification.
CMMC Levels and General Applicability
Each of the five CMMC levels addresses different tiers of cybersecurity to allow contractors to comply with the level most suitable for them:
Level 1: Foundational
- This level provides a foundation of practices for the higher levels. However, process maturity is not addressed since a contractor’s ability to perform process and documentation practices may not be consistent.
- Contractors may have access to federal contract information.
- With a Level 1 certification, contractors should have a limited ability to stop data exfiltration and recover from malicious actions. These procedures must be performed in an ad-hoc manner, at the very least.
Level 2: Advanced
- Companies are expected to meet the 110 security requirements set forth in NIST SP 800-171.
- This level is necessary for any company that generates or requires access to Controlled Unclassified Information (CUI).
- Companies must show a fundamental ability to protect and support an organization’s assets and CUI. However, at this level, companies may still face hurdles battling advanced persistent threats (APTs).
- Organizations subject to DFARS clause 252.204-7012 have to meet more requirements, such as incident reporting.
- Companies must also establish a plan that displays practice implementation and management.
Level 3: Expert
- This level mandates that an organization standardizes and optimizes the implementation process throughout the company to better combat APTs. This differs from Level 4’s requirement to focus on being proactive.
- Companies should practice and document in a regulated manner across the organization.
- There is also a focus on continuous improvement.
NIST SP 800-171 and CMMC Level 2
Some compliance standards have overlapping controls and provide a good starting point. As a general rule, is if an organization is NIST 800-171 compliant, they are also compliant with CMMC Level 2.
Note: With the initial CMMC model, these two compliance tiers were not identical. CMMC Level 3 (now CMMC Level 2) had an additional twenty (20) requirements. In November 2021, DoD announced that these additional CMMC-specific requirements were taken away and CMMC Level 2 compliance would mirror that of NIST SP 800-171.
For example, a CMMC Level 2 audit will cover 100% of the NIST 800-171 CUI controls. Also, it should be noted that NIST 800-171 primarily focuses on protecting CUI at rest, in transit or when being processed. The CMMC requires companies to also comply with nonfederal organization controls.
Figuring Out Which CMMC Level Is Right for Your Organization
The DoD specifies a contractor’s required CMMC level through requests for information and requests for proposals. The determination is based on the specific contract. Contracts will specify the lowest level a company must achieve in order to be awarded the contract, but they can choose a higher tier to position their company for future contracts. Becoming familiar with each level and its requirements will help contractors understand their current state and set a goal.
Existing compliance standards can also help companies estimate where they currently stand on the CMMC chart. Many compliance standards align with NIST standards, which make it a strong resources for guidance.
InfoDefense Helps Contractors Prepare
DoD defense contractors must become CMMC certified at the appropriate level for their contract. The levels range from basic hygiene to advanced preparation to prevent APT attacks. Each CMMC level contains all of the criteria of the preceding ones and increases in requirements as the levels rise.
Companies need to perform assessments to identify gaps and determine where changes are necessary to achieve the right level, however, some existing compliance regulations can help contractors approximate where their security posture is.
The CMMC can be costly and confusing, so we advise that you get it right the first time. InfoDefense has years of experience getting contractors compliance-ready. Even though the CMMC is a fairly new standard, we can get you ready for that too. Download our free self-assessment tool, or contact us today for more information.