Defense contractors that work with the U.S. Department of Defense (DoD) will soon be required to meet CMMC requirements to bid on contracts.
The Cybersecurity Maturity Model Certification (CMMC) refers to a unified framework that enforces cybersecurity standards within the defense industrial base (DIB). There are currently more than 300,000 contractors within the supply chain that have access to confidential defense information in their information systems.
The CMMC was developed by the DoD in response to increasing cybersecurity concerns. Five certification levels make up the CMMC and reflect the reliability and maturity of a company’s cybersecurity infrastructure and ability to safeguard sensitive government information.
What Are The 5 CMMC Levels?
The CMMC model consists of five defined levels, each with its own set of supporting processes and practices. The practices range from basic cyber hygiene (Level 1) to advanced/progressive (Level 5). Processes are optimized across the organization from Level 1 to Level 5 and built upon one another, meaning a company must meet the processes within the target level, as well as practices and processes below that level.
Here is a more detailed look at each of the five levels of CMMC:
Level 1
Level 1 of CMMC is known as “Basic Cybersecurity Hygiene” and is the lowest level of security controls that government contractors must meet to earn CMMC. Defense contractors must have basic security controls in place to qualify for this maturity level. The main goal of Level 1 is to safeguard federal contract information (FCI).
CMMC Level 1 is the foundation upon which all other levels are built. When contractors have basic security controls in place, they have the capability to protect FCI, meaning they are eligible for certain government contracts. Level 1 consists of 17 practices.
Level 2
Level 2, or “Intermediate Cyber Hygiene,” is considered a transitional phase between Level 1’s basic security measures and Level 3’s sound protection of controlled unclassified information (CUI). Defense contractors that reach this level have documented their processes and shown that users can repeat these processes.
To reach Level 2 compliance, contractors must show that they have a total of 72 specific security practices and 34 processes in place. As Level 2 is a transitional stage, a subset of the CMMC practices refers to the protection of CUI as specified by NIST SP 800-171.
Level 3
Level 3 of CMMC requires defense contractors to establish, resource, and maintain a plan for managing activities required to implement cybersecurity practices. The plan may include details regarding a variety of topics, such as projects, missions, training, resourcing, and the involvement of stakeholders.
Also called “Good Cyber Hygiene,” Level 3 builds upon the security requirements in Levels 1 and 2 and means that the company has 130 cybersecurity practices and 51 processes in place. Practices include those outlined in Federal Acquisition Regulation (FAR), all practices in NIST SP 800-171, as well as 20 additional practices required for maintaining good cyber hygiene.
Level 4
CMMC Level 4 is the “Proactive” stage for government contractors that have demonstrated that they have properly established cybersecurity best practices. To reach this level, companies must show that they have 156 practices in place, in addition to the practices required for Level 3 and a subset of 11 practices from NIST SP 800-171B.
Level 4 requires defense contractors to periodically review the effectiveness of their security practices. Companies must also take corrective action when necessary and inform management of their security status on a regular basis. Practices under Level 4 focus heavily on detection and response to security threats.
Level 5
Level 5 is the “Advanced/Progressive” stage and the highest level of CMMC. This advanced level requires government contractors to meet 171 practices, including practices from FAR, NIST SP 800-171 r1, and a specific subset of four practices from NIST SP 800-171B. An additional 11 practices help demonstrate that the business has established an advanced cybersecurity program.
Practices at Level 5 focus on the protection of CUI from advanced persistent threats (APTs), thus increasing the depth and sophistication of the company’s cybersecurity capabilities. CMMC Level 5 organizations are expected to standardize process implementation across the organization to meet process maturity.
Defense contractors are responsible for improving the cybersecurity posture of the DIB and protecting FCI and CUI. The CMMC has been created to ensure that DoD contractors have the appropriate cybersecurity practices and processes in place. The program has already begun to roll out; therefore, all defense contractors should begin to familiarize themselves with the CMMC as soon as possible.
Schedule A Consultation With SeaGlass
The CMMC framework can be complex and meeting any of the five cybersecurity maturity models requires an extensive understanding of its practices and processes. To learn more about the five levels of CMMC or to speak with an expert NYC IT service provider, contact SeaGlass Technology.