As technology continues to advance, so does the manner in which organizations process, transfer, and store information. For entities that deal with sensitive or even Controlled Unclassified Information, the rigors of proper handling become even more relevant.
The Cybersecurity Maturity Model Certification, or CMMC, has been introduced to guide these organizations in their implementation of technology and cybersecurity so that such valuable information is protected across all touchpoints of their processes.
However, not all organizations are required to abide by the same levels of security and complexity. This means that understanding which CMMC level you must abide by is important for planning your next steps.
To determine your CMMC level, you must first understand more about this program and what each of the levels accomplishes. Once you know this, you can see which level is right for you and the requirements put in place by that level.
What Is CMMC?
CMMC refers to Cybersecurity Maturity Model Certification. “Maturity” in the context of cybersecurity refers to how competent and complete a security strategy is and how thoroughly it is implemented.
CMMC was created by the Department of Defense as the newest requirement that all of its contractors must achieve—through implementation and verification of such compliance will be rolled out gradually in the coming years. This gives you time to begin to implement cybersecurity strategies and technology processes in order to comply with the appropriate CMMC level for your business.
The goal of Cybersecurity Maturity Model Certification is to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). What is different about the CMMC standard is that it will cover contractors and subcontractors for a more comprehensive approach to information safety, protecting the storage and transfer of valuable information across the many moving parts of an executed contract. CMMC regulations are broken into multiple levels, with compliance requirements that vary by organization; for example, not all businesses will need to achieve the Level 5 standard.
The rollout of CMMC is still in progress, but this does not mean that you should wait until you are affected. CMMC will impact all Defense Industrial Base entities, and it would be wise to utilize this time before requirements are fully in place to begin moving toward the new features, technologies and strategies that you will need to employ in order to be compliant.
Another important feature of the Cybersecurity Maturity Model Certification to note is that previously, organizations were typically permitted to self-report the efficacy and implementation of their cybersecurity practices. This will no longer be the case.
Under the CMMC, an authorized third party will objectively evaluate each organization’s practices against the standard using a rigorous methodology to determine whether they are in compliance with the CMMC level sought. This makes it more important than ever to begin implementing the proper practices as soon as possible, even before you are required to abide by the CMMC during its rollout.
Which Level CMMC Must My Organization Comply With?
The CMMC levels are all different based upon the type of information being handled. Thus, only organizations that regularly deal with highly critical Controlled Unclassified Information will be required to attain CMMC Level 5 practices.
The first step in determining your CMMC level is to perform a comprehensive inventory of all of your organization’s systems and how they function so that you can reveal where CUI and FCI are stored and how such data is transferred. Compare this with the CMMC requirements to locate potential gaps or shortcomings that must be bridged before CMMC is fully implemented.
Not all organizations have the capacity or competency to carry out this extensive preparation process in-house; a managed services provider or cybersecurity expert can assist you in this area. Keep in mind, too, that the levels of Cybersecurity Maturity Model Certification are cumulative; if you are required to abide by CMMC Level 3, you will also need to fulfill the requirements of Levels 1 and 2. Consider the following as you determine which CMMC level is right for you.
CMMC Level 1
CMMC Level 1 is the most basic level of the Cybersecurity Maturity Model Certification process; all certified organizations working with the Defense Industrial Base must complete CMMC Level 1 requirement for contractors and subcontractors to protect sensitive information and Federal Contract Information, or FCI.
The foundational requirements at this level include proof of practices such as the utilization of an up-to-date antivirus program and establishing strong password requirements that are followed by all employees.
These passwords must be protected from third-party access, so be sure to evaluate not only the strength of your password creation practices but also how and where passwords are stored, if they are stored at all. You will also need to consider the frequency in which a password change is conducted.
CMMC Level 2
CMMC Level 2 is not so much a level on its own as it is a transition between CMMC Level 1 and Level 3. This is the level at which Controlled Unclassified Information becomes relevant. If you are unsure whether you are handling CUI, the Department of Defense defines such information as any data that laws, regulations or existing government policies mandate the controlled dissemination or safeguarding of.
In addition to the requirements of CMMC Level 1, organizations needing to achieve Level 2 must document their current cybersecurity policies and procedures, which should include a forward-looking process geared toward implementing further cybersecurity measures in response to changing needs. Many organizations are likely already familiar with the requirements of NIST SP 800-171; CMMC Level 2 is the area of the CMMCn process that mandates many of the same requirements that were established in NIST SP 800-171.
CMMC Level 3
CMMC Level 3 is where many organizations will find themselves. In addition to compliance with the previous two levels, any organizations that handle CUI must clearly demonstrate proper cyber hygiene and be ready to actively adapt their practices as needed.
At this point, all the mandatory features of NIST SP 800-171 must be implemented, but Cybersecurity Maturity Model Certification does not stop there. Organizations should actively monitor and record their cybersecurity processes and their efficacy. Pay attention to areas such as backup and recovery, ensuring that system restores are possible without insecurely storing such information in the interim. DNS filtering also becomes important at this point, as does robust spam protection.
CMMC Level 4
Once an organization has reached the CMMC Level 4 threshold, it begins to require strategies for dealing with Advanced Persistent Threats, or ATPs. As technology has continued to advance, so to have the dangers that could compromise controlled and highly important information.
Advanced persistent threats include issues such as malware that have been modified and refined over time to bypass many of the traditional means of protecting a system or network. CMMC Level 4 organizations must be able to demonstrate a robust and comprehensive approach to subverting these ever-changing threats. CMMC Level 4 or higher is where an organization will be required to comply if that organization handles HVA CUI, or high-value asset Controlled Unclassified Information.
CMMC Level 5
The final (and highest) CMMC level, Level 5, is reserved for the most sensitive high value asset CUI. In addition to all the previous requirements from the other levels, CMMC Level 5 organizations will be expected to actively work against advanced persistent threats and successfully demonstrate, with evidence, their utilization of 171 different security controls measured across 17 domains of practice.
These include system maintenance requirements, active physical protection of systems and proactive training of staff to educate and prepare them for compliance and general cybersecurity hygiene. The many points necessary for compliance with CMMC Level 5 can be viewed directly from the Secretary of Defense.
Reach Out for Assistance to Understand Your Required CMMC Level and Implement Compliance Strategies
While the requirements for each Cybersecurity Maturity Model Certification level may be clearer now, the level you are actually required to comply with may still be confusing. It is safe to assume that you will need to comply, at minimum, with CMMC Level 1, so you may begin by evaluating your current cybersecurity practices and planning out necessary changes, or additions, of cybersecurity processes you are missing. If you handle high-value asset CUI, assume that you will be required to abide by a minimum of CMMC Level 4.
Cybersecurity Maturity Model Certification is not yet fully implemented, which means that during this intermediary period, the expectations placed upon your organization may not be entirely clear. However, in the future, RFPs (Requests for Proposals) will explicitly enumerate which CMMC level will be required for that contract.
Additionally, be aware that if you have achieved Cybersecurity Maturity Model Certification for levels 1, 2 or 3, this certification will be valid for three years. This means that the best place to start is at Level 1, building up from there as you learn more about which level is right for you in preparation for the full rollout of Cybersecurity Maturity Model Certification.
Fully implementing effective cybersecurity can be a challenge, especially when you are handling new processes and requirements. The cybersecurity and IT experts at Vaultes would be happy to help you achieve compliance with your appropriate CMMC level. Reach out to schedule an appointment to discuss your strategy and compliance needs.