In reaction to the growing number of cyber threats which resulted in billions of dollars worth of losses, the Department of Defense (DoD) introduced its newest certification system called the Cybersecurity Maturity Model Certification (CMMC). It was introduced on January 21, 2020. The CMMC is designed to safeguard the important DoD information called Controlled Unclassified Information (CUI) and Federal Contractor Information (FCI). It also attempts to alleviate the possible cyber threats associated with storing and sharing that data.
The CMMC level that an organization will need to achieve depends upon the vulnerability of the DoD information it will work with, and the scale of cyber threats associated with that information. Therefore, the more important the CUI, the higher the CMMC level will be required. Before CMMC, companies could define their compliance under the Defense Federal Acquisition Regulations (DFARS) and NIST 800-171. Owing to the lack of proof that they had been adhering to security practices allowed companies with security gaps to carry on providing their products and services to the DoD. This inescapably led to breaches and disruptions in the defense supply chain.
Organizations and companies that are part of the Department of Defense’s supply chain, whether as contractors or subcontractors, must obtain CMMC certification. Managed service providers (MSPs) and managed security service providers (MSSPs) also have the responsibility to comply with CMMC requirements.
If you have access to your clients’ data, systems, or network infrastructure and they are part of the DoD supply chain, you will be within the scope of CMMC and required to provide evidence of due diligence and care.
CMMC compliance requirements may differ for those further down the supply chain, with the level depending on how information flows from the prime contract to the third party in question. It may not be necessary for them to achieve the same level of compliance as the prime contract.
CMMC Level 1 demonstrates basic or foundational cyber hygiene. The 17 controls of NIST 800-171 rev1 need to be executed by the DoD contractors who wish to pass the level 1 audit. The first CMMC level is about meeting the basic demands to protect the FCI.
It ensures that all employees use up-to-date antivirus software applications and safe passwords that will protect them from uncertified third parties. This is the only level where documentation does not need to be audited; the company just needs to perform the processes. All organizations having an active contract with the DoD should be able to achieve CMMC Level 1 compliance without any concerns and with minimal effort required to reinforce their cybersecurity defenses. Read more about how to achieve CMMC Level 1.
Contractors and subcontractors of the Department of Defense (DoD) who handle Federal Contract Information (FCI), which refers to non-public information provided or generated under a contract to develop or deliver a product or service to the Government, will be required to obtain CMMC level 1 certification. For this particular level, DoD contractors and subcontractors have the flexibility to perform the required practices in an ad-hoc manner without relying on extensive documentation. They have the option to achieve certification through an annual self-assessment, and the assessment conducted by C3PAOs (Certified Third Party Assessment Organizations) does not include an evaluation of process maturity for this level.
Level 2 demonstrates “Advanced Cyber Hygiene”. This level requires an organization to set up and document practices and policies to manage the implementation of its CMMC efforts. This level requires all 110 NIST SP 800-171 Rev2 controls to achieve certification. The documentation of applications and processes is introduced at this level to ensure practices are performed in a replicable manner. It consists of a subgroup of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Read more about how to achieve CMMC Level 2 compliance.
Contractors managing information critical to national security will be required to undergo CMMC Level 2 third-party assessments. The subcontractor may be subject to a lower CMMC level if the prime contractor only shares specific information with them. This includes companies in the energy, water, communications, and transportation sectors.
Level 3 demonstrates that Expert-Level cyber hygiene practices are being followed. At this level, organization are mandated to establish, maintain and resource a plan to manage the activities needed to implement its cyber security practices. The plan needs to include details on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Those who would like to attain Level 3 compliance need to constantly evaluate all activities based on their cybersecurity policy. At this level, organizations are expected to support activities and review policies and processes, demonstrating a plan to manage specific tasks. Companies need to implement all NIST 800-171 controls plus an additional subset of NIST 800-172 controls. Know more about CMMC Level 3 and its importance on our blog.
Companies that handle the most sensitive or highly secure controlled unclassified information (CUI) for DoD contracts, in addition to the requirements for Level 2 certification, must obtain Level 3 certification. The assessment of organizations for CMMC Level 3 certification is conducted by the Defense Contract Management Agency of the Federal Government and these companies will have a DFARS 7021 clauses in their contract.
Here is what CMMC Level 4 and Level 5 previously entailed:
Level 4 demonstrated ‘Proactive’ cybersecurity. Organizations at this level can needed to take correctional action when necessary. They also notifed higher-level management of status or issues regularly. In addition to levels 1 through 3, 11 more controls of NIST, 800-171 Rev2 plus 15 new “Other” controls were implemented. Both CMMC Level 4 and Level 5 focussed on addressing the changing strategies, methods, and plans used by Advanced Persistent Threats (APTs). These domains included access command, acknowledgment and instruction, layout management, conservation, physical safeguarding, retrieval, situational awareness, and more. At Level 4, organizations were expected to analyze and document tasks for effectiveness and advise upper management on any matters.
Level 5 demonstrated “Advanced / Progressive” cybersecurity. Level 5 required an organization to standardize and refine process implementation across the organization. Level 5 focused on the security of CUI from APTs. To achieve this highest level, DoD contractors needed to implement the final four controls in NIST 800-171 Rev2 plus 11 new “Other” controls. Organizations at this level were expected to clarify and regulate process implementation across the enterprise. The main difference between Level 4 and Level 5 was that stability was achieved across the entire organization by having a proactive cybersecurity plan and standardized processes. Contractors needed to put in place 171 security controls, which were grouped into 17 groups to achieve compliance with the highest CMMC level.
As your organization moves forward it helps to have an IT risk and compliance management partner that understands the complexities and nuances of dealing with defense department contracts. SureShield, the top choice for compliance automation solutions, ensures ease when it comes to implementing this CMMC-level accreditation that companies are required to bid for and win contracts with the DoD. Read our blogs about opportunities and new challenges with CMMC and everything you need to know about CMMC for more information on the subject.
Follow us on Twitter and Linkedin for new updates and visit our website to know how ComplyShield can help you streamline CMMC compliance.