Cyberattacks executed on Department of Defense (DoD) supply chains are concerns for national security. As a result, obtaining the Cybersecurity Maturity Model Certification (CMMC) is required for defense contractors to bid on DoD contracts. If companies are not CMMC certified or don’t have the right level of certification for a specific contract, they cannot bid. Indeed, the CMMC holds third parties accountable and keeps the defense supply chain safe. To be prepared and able to accept DoD contracts, companies must understand and achieve the CMMC level most appropriate for them.

Initial Considerations

The particular contract a company holds with the federal government dictates what CMMC level they need. Contractors must hold that level throughout the duration of the contract. Additionally, if an organization holds multiple contracts with varying levels of CMMC, it must maintain the highest level for the entire contract.

This certification is not a one-time achievement, nor is it a one-size-fits-all model - it is a continuing effort. There are five levels within the CMMC, each more stringent than the tier below it. Not all contractors must obtain the highest CMMC level (5). Indeed, most would do just fine achieving Level 3, but others need to reach a higher certification.

> Find if Your Company is Subject to CMMC Level 3 Requirements: Self-Assessment Tool

CMMC Levels and General Applicability

Each of the five CMMC levels addresses different tiers of cybersecurity to allow contractors to comply with the level most suitable for them:

Level 1. Basic Cyber Hygiene

  • This level provides a foundation of practices for the higher levels. However, process maturity is not addressed since a contractor's ability to perform process and documentation practices may not be consistent.
  • Contractors may have access to federal contract information.
  • With a Level 1 certification, contractors should have a limited ability to stop data exfiltration and recover from malicious actions. These procedures must be performed in an ad-hoc manner, at the very least.

Level 2. Intermediate Cyber Hygiene

  • This level introduces a more advanced set of practices and documentation requirements, creating greater dexterity and more consistent asset protection management.
  • At this level, companies should establish and record standard operating procedures, policies and strategic plans to guide the implementation of their cybersecurity program. These systems allow individuals to perform functions consistently and repetitively, leading to mature capabilities.

Level 3. Good Cyber Hygiene

  • Companies are expected to meet the security requirements set forth in NIST SP 800-171 Rev 1.
  • This level is necessary for any company that generates or requires access to Controlled Unclassified Information (CUI).
  • Companies must show a fundamental ability to protect and support an organization's assets and CUI. However, at this level, companies may still face hurdles battling advanced persistent threats (APTs).
  • Organizations subject to DFARS clause 252.204-7012 have to meet more requirements, such as incident reporting.
  • Companies must also establish a plan that displays practice implementation and management.

Level 4. Proactive

  • A company performing at Level 4 demonstrates a proactive cybersecurity program that focuses on defending against APTs.
  • These actions improve the detection and response abilities for combating APTs.
  • At this level, companies should focus on the effectiveness of procedures and should be able to take corrective action quickly. They are able to keep senior management informed consistently.

Level 5. Optimizing

  • This level mandates that an organization standardizes and optimizes the implementation process throughout the company to better combat APTs. This differs from Level 4’s requirement to focus on being proactive.
  • Companies should practice and document in a regulated manner across the organization.
  • There is also a focus on continuous improvement.

Differences Between NIST SP 800-171 and CMMC Level 3

Some compliance standards have overlapping controls and provide a good starting point. As a general rule, is if an organization is NIST 800-171 compliant, they are likely within the scope of CMMC Level 3.  It is important to note that these two compliance tiers are not identical, and that CMMC ML-3 certification has an additional twenty (20) requirements.

For example, a CMMC Level 3 audit will cover 100% of the NIST 800-171 CUI controls as well as an additional twenty (20) controls. Also, it should be noted that NIST 800-171 primarily focuses on protecting CUI at rest, in transit or when being processed. The CMMC requires companies to also comply with nonfederal organization controls.

Figuring Out Which CMMC Level Is Right for Your Organization

The DoD specifies a contractor's required CMMC level through requests for information and requests for proposals. The determination is based on the specific contract. This determination is the lowest level the company must achieve in order to be awarded the contract, but they can choose a higher tier to position their company for future contracts. Becoming familiar with each level and its requirements will help contractors understand their current state and set a goal.

Existing compliance standards can also help companies estimate where they currently stand on the CMMC chart. Many compliance standards align with NIST standards, which make it a strong resources for guidance.

InfoDefense Helps Contractors Prepare

DoD defense contractors must become CMMC certified at the appropriate level for their contract. The levels range from basic hygiene to advanced preparation to prevent APT attacks. Each CMMC level contains all of the criteria of the preceding ones and increases in requirements as the levels rise.

Companies need to perform assessments to identify gaps and determine where changes are necessary to achieve the right level, however, some existing compliance regulations can help contractors approximate where their security posture is.

The CMMC can be costly and confusing, so we advise that you get it right the first time. InfoDefense has years of experience getting contractors compliance-ready. Even though the CMMC is a fairly new standard, we can get you ready for that too. Download our free self-assessment tool, or contact us today for more information.

Originally published June 23, 2021 , updated September 16, 2021


related posts: