CMMC Explained: The Five Levels and Your Environment
Understand what the Cybersecurity Maturity Model Certification (CMMC) is, why the Department of Defense is requiring it, and how to comply in order to maintain or obtain your DoD contracts.
The Cybersecurity Maturity Model Certification (CMMC) is the standard by which the Department of Defense will assess the cybersecurity environment of their contracted businesses. Depending on the nature of the product/service, certification may require only Basic Cybersecurity Hygiene (Level 1) all the way up to Advanced (Level 5). The level required will be specified in writing through the RFP.
The cybersecurity of contractors will now be materially relevant to awarding DoD contracts. The development of this requirement is in direct relation to the DoD’s vested interest to defend the confidentiality, integrity, and availability of their contracted partners.
There are a lot of questions and details to be addressed about your cybersecurity environment. As the rollout of the CMMC progresses, we’ll continue to update this page to keep you informed. Be on the lookout for webinars, writing materials, and secure sources about how your hygiene correlates with CMMC security standards.
Your company must contact a third-party assessment organization that is authorized to conduct CMMC assessments by the CMMC Accreditation Body. After you identify the CMMC level required of your organization in the RFP, the assessor will determine whether or not your environment meets the requirements to be certified at that level. Self-assessment and self-certification are not an option. Your CMMC certification level will be public knowledge, but specific findings regarding your environment will not be publicly available.
The costs of the actual CMMC certification are going to be reimbursable under this CMMC program. However, costs to implement cybersecurity systems and processes in order to comply with the required certification level will be borne by the company.
CMMC Version 1.0 was released in January with Version 1.02 released in March. CMMC requirements will begin to appear in Requests for Information in June 2020.
The diversity of the DIB does not lend itself to a one-size-fits-all approach to security. To that effect, the levels of CMMC are meant to sequentially build upon one another. Level 1 is seen as the most universal level of hygiene, while levels 2, 3, 4, and 5, grow more and more complex. Depending on the nature of your organization, the DoD may request more from your cybersecurity environment than others. Your unique CMMC security will become explicitly clear as soon as Requests for Information are sent, as the DoD will appraise your organization based on a contract you currently hold with them. Representatives from the Office of the Under Secretary of Defense have indicated that the vast majority of the DIB will be required to obtain a CMMC Level 1 certification.
Level 1
The CMMC Level 1 requires that organizations have basic cyber hygiene practices in place and are performing foundational cybersecurity processes. Of all of the levels, this one is based on securing foundational principles for all defense contractors.
Level 2
CMMC Level 2 is considered more intermediate and requires organizations to establish and document strategic plans, policies and standard operating procedures. The controls required in Level 2 enable organizations to address and combat more cyber threats than Level 1.
Level 3
CMMC Level 3 requires organizations to demonstrate good cyber hygiene practices and implementation to comply with NIST SP 800-171. Any defense contract involving Controlled Unclassified Information (CUI) will require a Level 3 certification. Level 3 organizations will be required to dedicate a manager to document and perform the recommended cybersecurity processes. This level is built to secure prolonged usage of CUI and verify an organization’s environment is suitable to do so.
Level 4
CMMC Level 4 will require organizations to demonstrate a substantial and properly functioning cybersecurity program. Level 4 certification requires organizations to prove their overall cybersecurity activities are reviewed and managed to properly and quickly escalate matters if needed. In securing your environment for this level, proper programs must be implemented and proven effective for sensitive information from the DoD.
Level 5
The CMMC Level 5 certification indicates an advanced cybersecurity plan is in place. It also demonstrates the organization’s ability to make adjustments and optimizations in order to combat evolving threats. To meet the needs of Level 5, an organization must have a sustainable, adaptable cybersecurity environment built.
Sit down with our security experts to ask questions, learn more about the CMMC framework and understand how it will impact your business with our complimentary Executive Briefing. Under mutual NDA, we discuss the cybersecurity environment you currently have in place and what it will take to be one step closer to certification.
If you haven’t yet begun formalizing an information security program, now is the time. Since certification will be a determining factor in whether or not you can proceed with a DoD contract, you need to start preparing now for the eventual CMMC security standards. It remains to be seen exactly what elements the DoD will stress over others, but establishing a CMMC security program now will put you in a much stronger position to achieve compliance later.
For more information on the CMMC certification levels and how to prove your environment is secure, visit DoD’s FAQ page here: https://www.acq.osd.mil/cmmc/faq.html; the CMMC requirements information on this page is drawn directly from this source.