Modern technology has made doing business easier in so many ways, but along with this convenience comes significant risk. Cybercriminals and hackers are becoming increasingly savvy, and the amount of damage they are capable of inflicting can devastate an organization.
In response to this changing landscape, the U.S. government has tightened its regulations regarding data protection throughout its supply chain, and all companies that wish to do business with the U.S. Department of Defense (DoD) must adhere to a new set of security standards known as the Cybersecurity Maturity Model Certification (CMMC).
What Is CMMC Compliance?
CMMC is a new standard for security and data protection instituted by the DoD that applies to all organizations who bid on DoD contracts. It is aimed at protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) owned by government entities and their contractors.
It is significantly stricter than its predecessor, the NIST 800-171 Standard. In addition to having more requirements, it eliminates the self-assessment option that was acceptable for compliance in the past. Now, it is necessary to use an outside audit to confirm CMMC compliance.
What Level Of CMMC Compliance Does My Business Need?
CMMC is divided into five categories known as maturity levels that rise in complexity and sophistication as the number increases. The capabilities fall under one of 17 domains, such as awareness and training, security assessment, and risk management. Outlined below is a look at the five levels that organizations need to consider.
Level 1: Basic Cyber Hygiene/Implemented
Gaining Level 1 certification requires 17 practices related to the most basic procedures involved in safeguarding data, such as implementing individual user accounts, ensuring a network is private, and employing strong passwords that are changed from defaults.
It is relatively easy for most companies to attain this level, and those that have done business with the DoD in the past are already compliant, but official certification will still be necessary in order to proceed.
Level 2: Intermediate Cyber Hygiene/Documented
Level 2 certification requires 72 practices along with a series of processes. This means that in addition to following the outlined rules, an organization needs to prove that it is taking steps to embed these rules into its fabric. Level 2 is considered a bridge between Level 1’s basic requirements and the stronger security afforded by Level 3. Attaining Level 2 is not sufficient for most government contracts.
Level 3: Good Cyber Hygiene/Managed
To obtain Level 3 CMMC certification, an organization must follow 130 practices. The focus of Level 3 are the security steps needed to protect CUI, and it adds two more domains in the form of situational awareness and asset management.
The required practices include 110 from the NIST SP 800-171, as well as 20 additional practices. In addition, it includes a third process mandating that companies create a specific plan for each domain complete with objectives, goals, and timelines for execution, as well as the inclusion of senior management.
Level 4: Proactive Cyber Hygiene/Reviewed
Level 4 certification requires 156 practices and is considered a bridge level, which means most organizations that achieve this level are doing so on the way to reaching Level 5 certification. It involves more cooperation and visibility on the part of senior management in preparation for heading into the final compliance level and shifts the focus to protection from Advanced Persistent Threats (APTs).
APTs are advanced cyber theft techniques in which information is stolen over a long period of time in hopes of avoiding detection. It can be challenging to prevent and subvert such tactics, which is why protection against them is so vital for organizations handling sensitive data.
It also requires organizations to review their practices regularly and determine if they are effective. This level entails creating metrics to measure progress and decide if the original plan has been successful.
Level 5: Advanced Cyber Hygiene/Optimizing
All 171 practices in the CMMC are incorporated into Level 5, which is the final and strictest level. It includes a requirement for the standardization of procedures and consistent optimization. Around-the-clock maintenance and monitoring is needed to maintain this certification, and companies must be prepared to alter their security system as needed in order to stay on top of constantly evolving cyber threats.
Contractors who operate at the bottom of the supply chain may only need Level 1 certification, while those that receive, process, or create CUI need to be at Level 3 or above.
Meanwhile, those that have access to highly sensitive data and high-value assets’ CUI, such as military base construction information, will need to attain certification at one of the two highest levels.
Contractors should inventory all their systems to find out where and how they are storing FCI and CUI data. A CMMC readiness assessment is a good way to determine what needs to be done to comply with the appropriate CMMC level.
Reach Out To Seaglass Technology
If your organization has any doubts about CMMC compliance or needs assistance reaching a particular level, get in touch with the experienced professionals at Seaglass Technology to find out more about our services.