Previously, we covered a brief history of the Cybersecurity Model Maturity Certification (CMMC 2.0 Levels) and touched on a few details of what it actually is. For this entry, we will be getting deeper into the internals of CMMC to begin breaking it down into its parts. CMMC was originally a 5 level program that has now been simplified into three levels, with the idea being basic cybersecurity hygiene and controls for level one, intermediate for level two, and advanced for level three. Each higher level adds additional controls that need to be met, in addition to what was required in the lower level(s).
When applying for Department of Defense (DoD) contracts directly, the required CMMC level will be listed and when working as a subcontractor, the prime will determine the level they require their subcontractors to meet. So the good news is that no one should have to figure out what level they will need to be certified for on their own. Also, it is expected that most companies will end up needing to be certified to level two.
So let’s get into what each level means, starting with level one. This CMMC level is intended to be a base level of security with the goal of protecting Federal Contract Information (FCI). FCI is “information not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government”. This is one of the lowest levels of “sensitive” information, and as such only looks for 17 controls to be met. This level is also achieved through a self assessment that is performed annually. And although the certification is achieved by self assessment, companies may want to coordinate with an experienced cybersecurity company when designing and implementing the programs that will meet this level’s requirements.
Both level 2 and 3 certifications are intended to provide protection of Controlled Unclassified Information (CUI). I want to make sure that I emphasize the “unclassified” part of this designation. CUI is information that is restricted and may have national security implications, but for one reason or another it does not meet the requirements to be deemed classified, secret, or top secret. I do not intend for the scope of any of these posts to breach into the world of controls needed for handling that level of sensitivity. A list of DoD CUI categories can be found here. Some examples include things such as military personnel records, budget information, and health data.
With that, let’s discuss CMMC level two. This level constitutes a much larger lift for companies, being composed of an additional 93 controls to bring the total to 110, essentially covering the entirety of NIST SP 800-171. While this can seem daunting, meeting all of these controls will help to ensure a significantly more robust security posture for most companies. These controls consist of numerous practices that have to be both codified in official policies, but also recorded to be able to show evidence that they are being followed. For the certification, a small subset of companies will be able to fully self certify, but most will be required to have a CMMC Third Party Assessor Organization (C3PAO) audit and grant certification every three years with an annual self assessment. C3PAOs are companies that have passed their own certification and have received specific training to be allowed to certify companies as CMMC level 2 compliant. Unless your company has significant cybersecurity experience, I will highly recommend that an experienced company is brought in to help prepare before engaging with the C3PAO.
As the DoD is in the rulemaking process, we know the least about the specifics of level 3 requirements. We do know that it will consist of all 110 controls from level 2, with the addition of at least some of the controls from NIST SP 800-172. This could be up to 35+ advanced controls, but may end up being an additional 1 to 2 dozen. What’s also known is that audits for this certification will be conducted on a 3 year basis by federal officials, with the additional annual self assessment.
That is all for this entry, and next we will begin breaking down each level.
Recent Comments