Cyberattacks executed on Department of Defense (DoD) supply chains are a national security concern. As a result, obtaining the Cybersecurity Maturity Model Certification (CMMC) will be required for defense contractors to bid on DoD contracts as early as 2023. If companies are not CMMC certified or don’t have the right level of certification for a specific contract, they will be excluded from contract award. Indeed, the purpose of CMMC is to maintain a secure defense supply chain safe. Companies must understand and achieve the CMMC level most appropriate for them.
The particular contract a company holds with the federal government will determine which CMMC level is required. Contractors must maintain that level throughout the duration of the contract. Furthermore, if an organization holds multiple contracts with varying levels of CMMC, it must maintain the highest level for the entire contract.
This certification is not a one-time achievement, nor is it a one-size-fits-all model – it is a continuing effort. There are three levels within the CMMC, each more stringent than the tier below it. Not all contractors must obtain the highest CMMC level (3). In fact, in most cases DoD contractors will be required to only achieve Level 1 or 2.
CMMC Levels and General Applicability
Each of the three CMMC levels addresses differing levels of security requirements to protect sensitive information shared with the contactor.
Level 1: Foundational
- Provides a foundation of practices for the higher levels.
- Required for contactors to handle non-public Federal Contract Information (FCI).
- Includes 17 of the 110 NIST SP 800-171 security requirements.
- Contractors should, at a minimum, have a limited ability to stop data exfiltration and recover from malicious actions. In scope security practices must be performed in an ad-hoc manner, at the very least.
Level 2: Advanced
- Includes all 110 security requirements set forth in NIST SP 800-171.
- Necessary for any company that generates or requires access to Controlled Unclassified Information (CUI) to perform contract obligations.
- Requires companies to show a fundamental ability to protect and support an organization’s IT assets and the CUI it is entrusted with. CMMC Level 2 includes the elements of a basic cyber security program. Therefore, companies may still struggle to mitigate advanced persistent threats (APTs).
- DFARS clause 252.204-7012 which includes additional requirements, such as incident reporting also applied.
- Must establish a plan that displays cyber security and compliance implementation and continuous management.
Level 3: Expert
- Mandates that an organization standardize and optimize cyber security processes throughout the company to better combat Advanced Persistent Threats (APT). This differs from Level 2’s requirement to focus on being proactive.
- Though not fully defined by DoD, CMMC Level 3 will be based on the requirements defined in NIST SP 800-172.
- Stringent cyber security program management and documentation requirements.
- Focus on continuous improvement.
NIST SP 800-171 and CMMC Level 2
DFARS 252.204-7012 (b)(2) requires defense contractors to implement NIST SP 800-171 no later than December 2017. Many organizations have since implemented NIST SP 800-171 in response to this requirement. CMMC 2.0 is based on NIST SP 800-171. Therefore, if an organization is already DFARS 252.204-7012 and NIST 800-171 compliant, CMMC Level 2 compliance will require less time and money to achieve.
Note: With the initial CMMC 1.0 model, there were five tiers, rather than the current three tiers in CMMC 2.0. CMMC 1.0 – Level 3 had an additional twenty (20) requirements. In November 2021, DoD announced that CMMC 1.0 – Level 3 would become CMMC 2.0 – Level 2 and would mirror NIST SP 800-171, removing the additional twenty (20) requirements.Chief Information Officer – Department of Defense
For example, a CMMC Level 2 certification assessment will cover 100% of the NIST 800-171 CUI controls. NIST 800-171 primarily focuses on protecting CUI at rest, in transit or when being processed. Furthermore, federal procurement rules such as DFARS 252.204-7012, 252.204-7019 and 252.204-7020 contain specific cyber security requirements such as incident reporting and the submission of SPRS scores.
Which CMMC Level Is Required?
The DoD will specify a contractor’s required CMMC level through requests for information (RFI) and requests for proposals (RFP). The determination is based on the level of sensitivity of information shared with the contractor. Generally speaking, if CUI is handled during the course of a contract, CMMC Level 2 will be required.
Contracts will specify the lowest level a company must achieve in order to be awarded the contract, but organizations can choose a higher tier to position their company for future business growth. Becoming familiar with each level and its requirements will help contractors understand their current compliance status and assist in remediation planning.
Cyber compliance requirements define in current contracts can help companies estimate where they currently stand in relation to the CMMC level required. If your existing contract include DFARS 252.204-7012 and/or NIST SP 800-171 compliance requirements, your organization will likely need to achieve CMMC Level 2. Likewise, if your organization does not handle CUI, CMMC Level 1 will be required.
InfoDefense Can Help
Companies need to perform assessments to identify gaps and determine where changes are necessary to achieve the right level pf CMMC compliance. InfoDefense offers a CMMC Assessment Tool at no cost for contractors to perform their own CMMC Level 2 assessments. If you need help, we also offer CMMC assessment services.
CMMC compliance can be costly and confusing, so we advise that you get it right the first time. InfoDefense is a leader in helping organization achieve cost-effective CMMC compliance. We offer a full range of CMMC compliance options. Contact Us for more information.