The clock is ticking for organizations that need to become CMMC compliant. The DoD has laid out their implementation timeline and made it clear that all DoD contracts will include a CMMC level requirement by the end of 2026.
Taking your first look at the DoD's documentation can be intimidating. The technical jargon and references to previous security standards add up fast. It’s enough to frustrate even the most seasoned of IT professionals. Questions start to pile up: What are the 5 levels of CMMC maturity? Which level does my organization need to reach? How long do I have until I'm at risk of losing contracts due to lack of compliance?
This article will answer all of those questions and more. By the end, you should have a clear understanding of the 5 levels of CMMC.
If you want to save yourself the time and headache of figuring out the processes and procedures you need to implement, let us do it for you! Our CISO, Josh Ablett, is a CMMC-AB Registered Practitioner who has been helping clients with cybersecurity since 2010 and NIST 800-171/CMMC compliance since 2017.
We offer a proven and effective process to find your gaps, build a plan, and work with you to get where you need to be.
The CMMC model aims to improve the alignment of cybersecurity practices with the type of information that an organization needs to protect.
The cybersecurity maturity of an organization is measured within a system of five levels. Each consists of a set of processes and practices that must be implemented. The more sensitive the DoD information that your organization works with, the higher the maturity level you will be required to reach.
The processes range from simply being performed at level 1, to being performed, documented, reviewed, and optimized at level 5.
These levels and the associated processes and procedures are cumulative. For an organization to achieve a specific level, it must also prove attainment of the previous levels as well.
The visual below should help you understand how the CMMC model is constructed. The full list of practices can be found on page 16 of the DoD's CMMC Model document.
Does your organization handle CUI? Were you previously or currently required to comply with NIST 800-171? Do you have a DFARS clause in your contract? If you answered yes to any of those questions, than you will most likely need to reach level 3.
Defense Industrial Base (DIB) companies that do not process, store, or transmit CUI, will need to obtain a CMMC level 1 certification. DIB companies that process, store, or transmit CUI will need to achieve a CMMC level 3 or higher, depending on the sensitivity of the information associated with a program or technology being developed.
It’s important to have a basic understanding of the current relationship between NIST 800-171 and CMMC, because the two will coexist in the time that CMMC is being implemented.
The DFARS Interim Rule tells organizations that until a CMMC level requirement is built into a specific contract, they are expected to comply with the requirements laid out in NIST 800-171. That means that you must indicate if you have met all 110 NIST 800-171 requirements or have a Plan of Action and Milestones (POAM) that indicates your intention to do so.
Your efforts in implementing the NIST 800-171 requirements won't be for nothing once CMMC becomes the standard. The foundation of CMMC Level 3 is composed of the 110 requirements that make up NIST 800-171. If you successfully implement the NIST 800-171 practices, you are well on your way to achieving CMMC Level 3 certification.
CMMC Level 1: Basic Cyber Hygiene
Level 1 focuses on the protection of Federal Contract Information (FCI). It requires that an organization performs basic cybersecurity practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
CMMC Level 2: Intermediate Cyber Hygiene
Level 2 serves as a transitional step in cybersecurity maturity progression to protect Controlled Unclassified Information (CUI). It requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner.
CMMC Level 3: Good Cyber Hygiene
Level 3 focuses on the protection of CUI. It requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Level 3 encompasses all the security requirements specified in NIST 800-171 as well as 20 additional practices to mitigate threats. Again, any contractor with a DFARS clause in their contract will need to at least meet Level 3 requirements.
CMMC Level 4: Proactive
Level 4 focuses on the protection of CUI from Advanced Persistent Threats (APTs). It requires that an organization review and measure practices for effectiveness. In addition, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
The practices required to reach this level of cybersecurity maturity enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures used by APTs.
CMMC Level 5: Optimizing
Level 5 focuses on the protection of CUI from APTs. It requires an organization to standardize and optimize process implementation across the organization. The additional practices laid out at this level increase the depth and sophistication of cybersecurity capabilities.
The DoD intends to roll out the program over the next five years, starting with contractors that are involved with critical programs like nuclear modernization and missile defense.
By the end of 2021, around 1,500 prime contractors and sub contractors will be required to reach some level of CMMC compliance. It’s estimated that by the end of FY2026, all new DOD contracts will include CMMC level requirements.
Take a look at the visual below to see the full scope of the 5 year CMMC roll-out.