Many companies who are DoD Contractors or otherwise in the Defense Industrial Base ( DIB ) sector have been hearing about the Cybersecurity Maturity Model Certification ( CMMC ) and how their compliance is not only going to be a recommendation, sooner than later it will be a full on requirement to be able to bid and ultimately awarded a DoD Contract.
While there has been a lot of spin and conversations regarding CMMC, the most current release is version 2.0 being released in CFR 48. We are here to try to help you navigate these changes and requirements so that all DoD Contractors can be successful!
What is CMMC 2.0?
Originally released in 2019, the CMMC framework was adopted by the US Department of Defense and took five separate levels of compliance depending upon how many controls the contractor had in place. With CMMC 2.0 – this framework has been updated to consolidate these into 3 specific levels.
Another key difference is that CMMC 2.0 is now further tailored to the needs of the DoD based upon the security requirements of Data ( CUI, Secret, Top Secret, etc ) as well as the specific security measures that organizations need to take in order to protect their data and supply chains.
Ultimately CMMC closely ( if not directly ) parallels NIST 800-171 Rev 2 so you can easily take a self assessment to see how close or far away from compliance your organization is currently sitting.
The 3 CMMC Levels
The three CMMC levels in version 2.0 are foundational, advanced, and expert. Organizations can choose which level they need to implement, based on their requirements. The higher levels offer more protection, but demand more resources to implement.
Most contracts will start requiring a minimum of Level 2 starting October of 2025. Of course there may be some difference in dates of full implementation although at the time of writing this article, the industry is fairly confident in the current date estimation.
CMMC Level 1: Foundational Cyber Hygiene
The most basic level of security, Level 1, requires implementation of basic cybersecurity hygiene practices such as password management and keeping systems up-to-date with patches. This level is intended for small businesses with minimal risk to their data.
There are 17 controls Level 1 is based off of which is found in FAR 52.204-21. This is a good starting point for organizations who are just beginning to implement cybersecurity measures, or who have limited resources.
Level 1 certification is required for companies that handle Federal Contract Information (FCI) but aren’t considered part of the critical infrastructure, which includes most businesses and government agencies.
CMMC Level 2: Advanced Cyber Hygiene
Level 2 builds on the cybersecurity hygiene practices of Level 1 and requires additional measures to be put in place and maintained. Level 2 is similar to NIST SP 800-171 Rev 2 and includes 110 practices. Some of the practices focus on access control, incident response, risk management, physical security, and system and information integrity. For more information please check the NIST Website.
Level 2 certification is required for companies that handle CUI and are considered part of the critical infrastructure. This includes companies in the energy, water, communications, and transportation sectors.
CMMC Level 3: Expert Cyber Hygiene
Level 3 is the highest level of CMMC certification and requires the most stringent security measures. Level 3 is based on NIST SP 800-171 Rev 2 and adds additional practices from NIST SP 800-172. The extra practices focus on more sophisticated detection and response capabilities, information protection, and system hardening requirements.
Level 3 certification is required for the same types of companies who need Level 2 certification, but who also handle CUI in the most sensitive or higher security assurance of DoD contracts. Organizations required to comply with CMMC Level 3 certification are assessed by the Federal Government’s Defense Contract Management Agency. Assessment process details for Level 3 are still being developed at this time. It is expected that a very small number of contractors will need this level of compliance.
How CMMC Certification Can Benefit Companies Who Don’t Need to Be Compliant
Even if your company does not need to be CMMC certified, there are still many benefits to implementing measures from the available CMMC levels. Cybersecurity is becoming more and more important, and CMMC provides a comprehensive framework for protecting data. Implementing CMMC measures can help your company protect its data and avoid costly breaches.
If your company isn’t required to be CMMC certified, you can still choose to implement some or all of the measures. This can help you improve your cybersecurity posture and show potential customers that you take data security seriously.
CMMC certification can also help you win more business. Many companies are now requiring their suppliers to become CMMC certified. By becoming certified, you can show these companies that you’re serious about data security and that you have the necessary measures in place to protect their data. This can give you a competitive advantage when bidding on contracts.
CMMC certification can be a long and difficult process, but it’s worth it for the benefits it provides.
For more information about CMMC certification, contact us today.
Leave a Reply