CMMC Explained: The Five Levels and Your Environment

Understand what the Cybersecurity Maturity Model Certification (CMMC) is, why the Department of Defense is requiring it, and how to comply in order to maintain or obtain your DoD contracts.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the standard by which the Department of Defense will assess the cybersecurity environment of their contracted businesses. Depending on the nature of the product/service, certification may require only Basic Cybersecurity Hygiene (Level 1) all the way up to Advanced (Level 5). The level required will be specified in writing through the RFP.

The cybersecurity of contractors will now be materially relevant to awarding DoD contracts. The development of this requirement is in direct relation to the DoD’s vested interest to defend the confidentiality, integrity, and availability of their contracted partners.

CMMC Security Readiness: How Do I Prepare?

There are a lot of questions and details to be addressed about your cybersecurity environment. As the rollout of the CMMC progresses, we’ll continue to update this page to keep you informed. Be on the lookout for webinars, writing materials, and secure sources about how your hygiene correlates with CMMC security standards.

How is a CMMC certification obtained?

Your company must contact a third-party assessor. After you identify the level required of your organization in the RFP, the assessor will determine whether or not your environment meets the requirements to be certified at that level. Self-certification is not an option. Your certification level will be public knowledge, but specific findings regarding your environment will not be publicly available.

How much will a CMMC certification cost?

The costs of the actual certification are going to be reimbursable under this program. However, costs to implement cybersecurity systems and processes in order to comply with the required certification level will be borne by the company.

When will the CMMC framework be available?

CMMC Version 1.0 is was released in January with Version 1.02 released in March. CMMC requirements will begin to appear in Requests for Information in June 2020.

What Level of certification will I need?

The diversity of the DIB does not lend itself to a one-size-fits-all approach to security. To that effect, the levels of CMMC are meant to sequentially build upon one another. Level 1 is seen as the most universal level of hygiene, while levels 2, 3, 4, and 5, grow more and more complex. Depending on the nature of your organization, the DoD may request more from your cybersecurity environment than others. Your unique CMMC security will become explicitly clear as soon as Requests for Information are sent, as the DoD will appraise your organization based on a contract you currently hold with them. Representatives from the Office of the Under Secretary of Defense have indicated that the vast majority of the DIB will be required to obtain a Level 1 certification.

CMMC Levels Explained

Level 1

The CMMC Level 1 requires that organizations have basic cyber hygiene practices in place and are performing foundational cybersecurity processes. Of all of the levels, this one is based on securing foundational principals for all defense contractors.

Level 2

CMMC Level 2 is considered more intermediate and requires organizations to establish and document strategic plans, policies and standard operating procedures. The controls required in Level 2 enable organizations to address and combat more cyber threats than Level 1.

Level 3

CMMC Level 3 requires organizations to demonstrate good cyber hygiene practices and implementation to comply with NIST SP 800-171. Any defense contract involving Controlled Unclassified Information (CUI) will require a Level 3 certification. Level 3 organizations will be required to dedicate a manager to document and perform the recommended cybersecurity processes. This level is built to secure prolonged usage of CUI and verify an organization’s environment is suitable to do so.

Level 4

CMMC Level 4 will require organizations to demonstrate a substantial and properly functioning cybersecurity program. Level 4 certification requires organizations to prove their overall cybersecurity activities are reviewed and managed to properly and quickly escalate matters if needed. In securing your environment for this level, proper programs must be implemented and proven effective for sensitive information from the DoD.

Level 5

The CMMC Level 5 certification indicates an advanced cybersecurity plan is in place. It also demonstrates the organization’s ability to make adjustments and optimizations in order to combat evolving threats. To meet the needs of Level 5, an organization must have a sustainable, adaptable cybersecurity environment built.

CMMC Services with Tetra Defense

Take the First Step

Sit down with our experts to ask questions, learn more about the framework and understand how it will impact your business with our complimentary Executive Briefing. Under mutual NDA, we discuss the cybersecurity environment you currently have in place and what it will take to be one step closer to certification.

If you haven’t yet begun formalizing an information security program, now is the time. Since certification will be a determining factor in whether or not you can proceed with a DoD contract, you need to start preparing now for the eventual CMMC security standards. It remains to be seen exactly what elements the DoD will stress over others, but establishing a program now will put you in a much stronger position later.

For more information on the levels and how to prove your environment is secure, visit DoD’s FAQ page here: https://www.acq.osd.mil/cmmc/faq.html; the information on this page is drawn directly from this source.

CMMC Explained: The Five Levels and Your Environment

What is CMMC?

CMMC Security Readiness: How Do I Prepare?

How is a CMMC certification obtained?

How much will a CMMC certification cost?

When will the CMMC framework be available?

What Level of certification will I need?

CMMC Levels Explained

CMMC Services with Tetra Defense

Take the First Step

Contact Us to Schedule Your Executive Briefing

CMMC Resources

Using Data-Driven Approaches to Thwart Ransomware

CMMC: This New Requirement Needs a Different Approach

CMMC Level 2: Going Beyond the Basics

HEADQUARTERS

HOURS