Prior to the Cybersecurity Maturity Model Certification, defense contractors were responsible for implementing, maintaining, and assessing their own cybersecurity practices in accordance with the NIST Special Publication 800-171. CMMC aims to improve upon those measures and unify them in a single framework that applies to all defense contractors and subcontractors. It also introduces a number of controls and processes from outside the scope of NIST.
One of the most important considerations when preparing for your first CMMC audit is which level to aim for. CMMC spans five levels in total, with CMMC level 1 being a foundational one and CMMC level 5 pertaining to progressive and proactive security. Due to the complexities of achieving higher levels, organizations will need to keep their goals realistic and in line with their existing systems and capabilities.
Here is a brief introduction to what each level broadly encompasses:
CMMC level 1 – Basic cyber hygiene (performed)
CMMC level 1 sets the stage for the entire CMMC framework by establishing a bare minimum standard for cybersecurity. As such, it is a natural starting point, as well as a requirement for handling federal contract information (FCI). CMMC level 1 introduces the first 17 cybersecurity practices, most of which are fairly basic. If you already work with the DoD, then you probably already meet the CMMC level 1 requirements. If not, then it should only require minimal effort to implement the necessary controls, since they are standard in many compliance regimes.
CMMC level 2 – Intermediate cyber hygiene (documented)
CMMC level 2 pertains to intermediate cyber hygiene in which efforts to protect information assets and systems are documented. This level is a transitional step and the first to introduce controlled unclassified information (CUI). As such, achieving a level 2 certification does not open the door to more lucrative contracts, but it does help you plan for compliance with the most important level of all – CMMC level 3. Level 2 introduces 55 practices and 34 processes. However, achieving compliance should be straightforward for existing defense contractors.
CMMC level 3 – Good cyber hygiene (managed)
Most organizations that have contracts with the DoD or hope to do so in the future will want to aim for CMMC level 3, since this is the minimum requirement for handling CUI. Level 3 relates to good cyber hygiene whereby security practices and processes are fully documented and regularly reviewed. This level introduces 58 new processes, most of which are from the NIST SP 800-171 framework, as well as 17 new processes. Achieving level 3 compliance is a key goal for many existing or would-be defense contractors, but it is also a lofty goal.
CMMC level 4 – Proactive cyber hygiene (reviewed)
CMMC level 4 introduces proactive cybersecurity measures with a focus on protecting against sophisticated cyberthreats. This will become mandatory for organizations handling high-value assets on behalf of the DoD, such as highly sensitive information. After all, the defense sector is a top target for state-sponsored attackers, who typically have practically limitless resources and use advanced attack vectors like advanced persistent threats (APTs). If you already meet the demands of CMMC level 3, then level 4 only requires implementing a further 26 practices and 17 processes.
CMMC level 5 – Progressive cyber hygiene (optimizing)
CMMC level 5 is the highest certification level you can reach, and it is also the most difficult. At this level, you must have standardized and optimized cybersecurity procedures and controls in place throughout your company. This includes advanced measures like security incident and event management (SIEM), proactive threat hunting capabilities, and threat intelligence systems. CMMC level 5 only introduces 15 additional practices and 17 processes, but they are complex and broad in scope.
Start with a cybersecurity gap assessment
Of course, any organization wants to achieve the highest possible standards of cybersecurity, but it is not always practical to aim straight for level 4 or 5. This is why CMMC is divided into four levels so that the DoD can effectively manage risk without locking out the numerous small businesses that make up the Defense Industrial Base (DIB).
Determining which CMMC level you need to comply with depends on your existing contracts and business goals. For example, if you work at the very bottom of the defense supply chain, the first level may be enough. On the other hand, if you have access to highly sensitive military data, you will need to reach level four or five.
The best way to get started is to carry out a security gap assessment to evaluate your existing infrastructure, since this will help you hone in one the level that is most achievable.
Charles IT helps you navigate the road to CMMC compliance. We offer expert guidance and solutions to ensure you’re ready for your first audit. Book your first consultation today!