Key Takeaways
1. CMMC, or Cybersecurity Maturity Model Certification, is a security program based on the Department of Defense’s information security requirements.
2. Most organizations, including both prime and subcontractors working with the Department of Defense (DoD), will need to obtain CMMC
3. I.S. Partners is an expert in the domain of CMMC compliance. Our cybersecurity team can guide you throughout the compliance process and ensure you are CMMC-certified.
What is CMMC?
CMMC, short for Cybersecurity Maturity Model Certification, is a program established by the United States Department of Defense (DoD) to evaluate the cybersecurity readiness of the vendors and contractors they (the DoD) work with. The framework includes three maturity levels, each with escalating standards for protecting CUI.
The main goal of the CMMC program is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that flows through the department and its contractors (and their subcontractors).
Who Needs CMMC?
Most organizations, including prime and subcontractors engaged with the DoD, will eventually need to demonstrate compliance with CMMC. This mandate extends to all suppliers within the Defense Industrial Base (DIB) ecosystem, spanning small businesses, international suppliers, and larger contractors.
According to Katie Arrington, Chief Information Security Officer for Acquisition and Sustainment at the DoD, cyber hygiene of government contractors is a priority and the importance of CMMC for protecting sensitive defense information cannot be overstated.
“We need to level-set because a good portion of our defense industrial base doesn’t have robust cyber hygiene,” Arrington said during a presentation at the Professional Services Council Federal Acquisition Conference. “Only 1 percent of DIB (Defense Industrial Base) companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to a scale where the vast majority of DIB partners can defend themselves from nation-state attacks.”
Who must be CMMC compliant? According to the DoD, the following entities must undergo and achieve CMMC certification:
- Prime contractors
- Subcontractors
- Suppliers across all levels of the DIB
- Contractors exclusively engaged with the DoD
Below are brief explanations of what each category means:
Prime Contractors
A prime contractor refers to a company or organization that supplies goods and services to the DoD. Given their access to contract specifics, prime contractors typically mandate a higher CMMC level than subcontractors.
They are responsible for cascading the relevant CMMC requirements to subcontractors. Then, the prime contractor determines the certification level required for subcontractors based on the information transferred during contract fulfillment.
For example, if contractors and subcontractors handle similar types of FCI and CUI, they will be subject to the same CMMC level.
Subcontractors
Smaller businesses often collaborate with prime contractors as subcontractors, providing specific services within larger projects.
These subcontractors must meet the CMMC compliance requirements corresponding to the data they handle, as they remain under the contract’s purview. However, higher CMMC levels may be mandated for other project elements.
For example, if a subcontractor deals with CUI or FCI, they must obtain Level 3 certification, even if the prime contract requires Level 1.
Suppliers
Prime contractors may delegate certain responsibilities to other firms while still adhering to their DoD contract obligations, including those of these entities within the DIB.
Consequently, these lower-tier suppliers must align with the CMMC maturity levels applicable to their designated tasks, which may differ from those required of the prime contractor.
Some examples of industries or entities that require CMMC are listed below:
- Contractors
- Vendors
- Any other contracted third parties
- Civilian organizations that do business with the DoD
- Software or service providers, such as logistics, IT, or communications companies
- Small enterprises
- Foreign suppliers
- Enterprise-level contractor
If your company belongs to any of the above-mentioned categories and needs a CMMC, contact I.S. Partners to get expert guidance and audit operations.
Which CMMC Level Do You Need?
The CMMC framework consists of different levels. The required CMMC level depends on what a company does and whether it handles CUI or FCI. While CMMC 1.0 featured 5 maturity levels, the updated CMMC 2.0 has been simplified to just 3 maturity levels.
Currently, CMMC 1.0 structures are no longer applied and have been replaced by the CMMC 2.0 levels.
Below we explain the levels of both CMMC versions, highlighting the changes and improvements made in the updated model.
See the comparison of CMMC 1.0 vs 2.0.
CMMC 1.0 Levels
CMMC 1.0 certification process, released in 2020, comprises control domains and security practices organized into 5 security maturity levels spanning from basic cyber hygiene (Level 1) to advanced/progressive (Level 5).
Below is a representation of the five levels of CMMC 1.0
Level 1 (Basic Cyber Hygiene)
CMMC Level 1 serves as the foundational certification level and includes practices aligned with basic safeguarding CMMC compliance requirements outlined in the Federal Acquisition Regulation (FAR) clause 52.204-21.
Level 2 (Intermediate Cyber Hygiene)
CMMC Level 2 includes 110 controls, including those from Level 1, 320 assessment objectives, and a 270-page assessment guide. It is designed for companies handling CUI and is aligned with DFARS 252.204.7012 and NIST SP 800-171.
Level 3 (Good Cyber Hygiene)
This level is for companies wanting to reduce risks from Advanced Persistent Threats (APTs). Depending on info sensitivity, DIB firms handling CUI need at least a level 3. CMMC Level 3 emphasizes safeguarding CUI, building upon the foundational security practices outlined in Levels 1 and 2.
This level incorporates all security requirements outlined in NIST SP 800-171 and 58 practices and standards to enhance security beyond Level 2.
Level 4 (Proactive Cyber Hygiene)
At the second-highest certification level, you need to focus on proactive measures to detect and respond to sophisticated tactics used by APTs.
When you implement advanced cybersecurity practices, they can safeguard CUI against prolonged and targeted attacks aimed at extracting sensitive data.
Level 5 (Advanced Cyber Hygiene)
Achieving Level 5 certification represents the pinnacle of cybersecurity readiness, focusing on advanced strategies to safeguard CUI from APTs. Companies seeking Level 5 certification must establish standardized and optimized processes throughout their operations.
For government contractors, CMMC is a requirement. Although the CMMC certification process may be lengthy and costly, the investment pays off in the end.
CMMC 2.0 Levels
CMMC 2.0 introduces more security domains compared to its predecessor, CMMC 1.0. These additional domains include incident response, anomaly detection, supply chain risk management, and a system security plan.
Since December 2023, the CMMC 2.0 framework has been endorsed by the DoD and is now being implemented across service organizations.
The key differences between each level under CMMC 2.0 are:
- Level 1 is geared towards companies handling FCI only, in alignment with FAR 52.204-21
- Level 2 is designed for companies dealing with CUI in alignment with NIST SP 800-171 and FAR 52.204-21
- Level 3 is aimed at organizations with high-priority programs handling CUI, aligning with NIST SP 800-172, FAR 52.204-21, and NIST SP 800-171
Let’s get into the details of each level one by one:
Level 1: Basic Security
This level is for companies handling FCI only. It covers 17 controls for fundamental cybersecurity practices to protect FCI and other less-sensitive data. CMMC assessment is done internally every year.
Level 2: Enhanced Security
Companies dealing with CUI need Level 2 certification. It aligns with NIST SP 800-171 and consists of 110 cybersecurity practices. Assessment is a mix of third-party and self-assessment every three years.
Level 3: Advanced Security
The highest certification level focuses on protecting CUI in high-priority DoD programs. It includes 110+ controls, some from NIST SP 800-172. Level 3 requires a government-led assessment every 3 years.
Use I.S. Partners’s comprehensive CMMC Compliance Checklist to ensure your certification process is smooth and successful.
How Do Organizations Determine Their Need For Specific CMMC Levels?
Organizations assess their required CMMC level based on the types of information they handle and the nature of their work.
Now, we know that as a DoD contractor, your biggest question is probably “what certification level does my company need?”
To answer that, we need to determine the type of data involved in your DoD contract(s). This data falls into three main categories of information ranging from public information to FCI, and CUI:
Public Information
Contractors dealing with public information for the DoD are exempt from CMMC, as per the NSF. Public information labeled as “Public Release Approved” or obtained from publicly accessible government sources falls outside the scope of CMMC guidelines.
This category includes unmarked data from uncontrolled government channels, such as public reports on industrial forecasts.
Note that handling public information doesn’t necessitate special controls outlined in CMMC guidelines. CMMC is unnecessary for contractors exclusively handling such data for DoD projects.
FCI (Federal Contract Information)
For defense contractors handling FCI, achieving CMMC Level 1 is typically advisable.
This level signifies the fundamental cybersecurity practices necessary to protect FCI, which comprises information not intended for public dissemination. FCI status is often denoted in document markings or outlined in contracts.
However, it’s important to note that FCI excludes basic accounting and transactional data essential for invoicing and financial transactions.
Contractors undertaking defense projects involving FCI data are likely to require Level 1 CMMC. This certification involves the adherence to 17 cybersecurity practices and permits an annual self-assessment for compliance validation.
CUI (Controlled Unclassified Information)
If you are handling CUI, it mandates at least CMMC Level 2. CUI, a subset of FCI, includes additional safeguarding and handling controls. It should be clearly identified in DoD contracts. Guidelines for CUI identification and management are outlined in NIST Special Publication 800-171.
Contractors engaged in DoD projects involving CUI data must obtain at least CMMC Level 2. This certification involves compliance with all 110 practices in Levels 1 and 2 of the CMMC framework.
Feeling overwhelmed with the intricacies of the different levels? Don’t worry. A trusted service provider like I.S. Partners can assist you in achieving CMMC compliance and guide you through the process.
How Can I.S. Partners Help You Become CMMC Compliant?
As industry leaders in the CMMC domain, our team specializes in guiding government vendors and contractors through CMMC audit readiness, compliance, and certification.
We offer customized gap assessments, policies, and processes designed to meet the specific CMMC requirements for your organization, ensuring compliance and enhancing your cybersecurity posture.
Here’s how we can help:
- Certified IT experts conduct thorough CMMC assessments
- We offer a range of penetration testing services to bolster cybersecurity
- Comprehensive gap assessments pinpoint vulnerabilities for effective remediation
Ready to find out what your CMMC compliance requirements are? Click here to speak with a specialist today!