If you’re a defense contractor, you’re likely somewhat familiar with the Cybersecurity Maturity Model Certification (CMMC). The United States Department of Defense (DoD) introduced this certification to secure the supply chain with a standardized method of implementing cybersecurity for contractors working in the Defense Industrial Base (DIB), which consists of over 300,000 companies.
This program, announced in January 2020, constitutes a series of cybersecurity standards like Federal Acquisition Regulation (FAR), Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST).
It is different from NIST 800-171, however, because it’s centered around third-party evaluations for cybersecurity compliance as opposed to self-attestation. According to data security information company Varonis, cybercrime is responsible for over $600 billion in global GDP losses each year. Additionally, the average annual spending of the DoD on Federal Contracts is $402 billion. Therefore, CMMC compliance is critical for all prime defense contractors and subcontractors.
What Are The Requirements For Each CMMC Maturity Level?
Each CMMC maturity level has its own specific set of requirements. All five levels consist of two measurements: practices and processes. The former refers to the implementation of controls like configuration management, while the latter refers to the creation of plans and policies for all 17 domains the CMMC covers.
The DoD is moving toward requiring all contractors to be CMMC compliant by 2026 and by fiscal year 2025, an estimated 475 contracts are projected to contain CMMC level requirements. Here is a closer look at the security requirements for each of these maturity levels.
CMMC Level 1
This level consists of basic cybersecurity requirements listed in FAR clause 52.204-21, or “basic cyber hygiene” in layman’s terms. In total, this base level contains 17 cybersecurity practices (e.g., introducing fundamental Access Controls). The primary objective of Level 1 is to protect Federal Contract Information (FCI).
This is data the federal government provides or is given to deliver or develop a product or service but that is not meant to be publicly disclosed. Most DoD contractors, except for those held by professionals who produce exclusively “Commercial Off the Shelf” software, require Level 1 certification.
Level 2
The main objective of CMMC Level 2 is to form a basic level of cybersecurity for any entity that possesses Controlled Unclassified Information (CUI), which is data that the federal government creates or processes (or that another organization generates or retains on behalf of the government) that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies.
An executive order dictating rules and processes for handling CUI was signed in 2010. This level of certification requires written policies for all 17 CMMC domains and records related to practices for ensuring these policies are implemented. The security practices required for Level 2 are also a subset of the requirements named in NIST 800-171 (55 more practices than those enumerated in Level 1).
Level 3
CMMC Level 3 requirements mandate that an organization must design, maintain, and secure resources for a plan to manage the processes necessary for implementing cybersecurity practices. This plan can address many subjects, including stakeholders, training, and objectives. DFARS clause 252.204-7012 applies for Level 3. In March 2020, 58 new cybersecurity practices were added to Level 3. They pertain to the following domains:
- Access control
- Asset management
- Awareness and training
- Incident response
- Media protection
- System and information integrity
- And many other domains
Level 4
For CMMC Level 4, an organization must regularly assess how effective its cybersecurity practices are. Additionally, organizations must routinely update upper management on whether their information systems are fully functional and correct any errors whenever necessary.
At this stage, organizations should be able to quickly identify and respond to cybersecurity risks, especially advanced persistent threats (APTs). APTs can severely damage the United States’ economic security interests.
This is because companies depend on many types of systems, including operational technology, traditional IT systems, Internet of Things (IoT), and Industrial IoT systems. CUI that is stored, processed, or transmitted and related to a High Value Asset (HVA) requires greater protection against APTs. For Level 4 certification, there are 26 more practices than those required for Level 3.
Level 5
CMMC Level 5 certification requires organizations to improve and standardize the implementation of all cybersecurity-related processes. This level also centers on protecting CUI from APTs and therefore involves significantly more advanced security processes and practices (15 more practices than Level 4).
How To Achieve CMMC Compliance
If you’re a contractor who doesn’t handle sensitive data, you’ll likely only need to achieve CMMC Level 1 compliance. If you frequently handle CUI, however, you must attain at least Level 3. To help reach Level 3, it’s highly recommended that you follow three essential steps:
- 1. Use a platform where secure CUI exchanges can occur: To protect CUI and FCI contained in files and emails, use end-to-end encryption that can be deployed easily. Encryption can also be effective for protecting International Traffic in Arms Regulations (ITAR) information.
- 2. Create a strong System Security Play (SSP): This type of document outlines the process contractors utilize to implement the procedures and policies needed for Level 3 compliance. In order to pass an independent audit, an SSP must include as many details as possible about this process.
- 3. Partner with a CMMC Compliance expert: A CMMC expert can guide you through the requirements needed to stay compliant with this program at an affordable cost. Speak with an experienced cybersecurity professional to learn more.
It’s also important to evaluate your cloud-based platforms to be CMMC-certified. Specifically, you should determine whether your platforms are “in-boundary.” Many large providers of cloud services (e.g., Microsoft, Duo, etc.) offer federal versions of their products that are FedRAMP Moderate. To determine whether your cloud platforms are CMMC-certified, you can use NIST 800-171 as a proxy.
Essentially, there are four stages to attaining CMMC compliance: a CMMC gap analysis, CMMC implementation, a CMMC pre-assessment, and a CMMC assessment. To help organizations get CMMC-certified, the DoD formed an Accreditation Body (AB), an independent nonprofit that helps accredit what are known as CMMC Third-Party Assessment Organizations (C3PAOs) aside from individual evaluators.
Other Things To Know About CMMC
Here are some other facts you should know about CMMC:
- The CMMC program is still evolving meaning the information presented is subject to change.
- Cost: The DoD has not yet determined the cost of CMMC. This figure will likely be in proportion to the CMMC level that your organization seeks to obtain.
- Your organization will require recertification every three years.
The CMMC requirement for a Federal Contractor and/or subcontractor will be outlined in Sections L and M of the Request for Proposals (RFP).
Speak To The CMMC Experts
Reach out to the professionals at Vaultes to learn more about CMMC compliance. For half a decade, we’ve been dedicated to providing efficient and innovative IT solutions to small, mid-sized, and large clients throughout Northern Virginia and around the globe. Our specialties include data backup and disaster recovery, web hosting, IT assessments, IT security, network installation and integration, and compliance audits.
If you’re a DoD contractor, subcontractor, or sub-tier supplier, you will be required to comply with CMMC. At Vaultes, we understand the requirements for obtaining this certification and are dedicated to helping you achieve your goals so that you can ensure your cybersecurity processes and practices meet FCI and CUI standards. Call Vaultes today or contact us online for more information on CMMC compliance and requirements for the 5 CMMC maturity levels.