Understanding CMMC Compliance: A Dive Into the 3 Maturity Levels

In 2019, the U.S. Department of Defense (DoD) released a new framework for data security called the Cybersecurity Maturity Model Certification (CMMC). The DoD released an updated framework, CMMC 2.0, in July 2021. While there were five CMMC levels in the first version, CMMC 2.0 only has three levels. The three new levels essentially match CMMC 1.0 levels 1, 3 and 5, with the even-numbered transition levels removed. The DoD is still developing some parts of CMMC 2.0 Level 3.

Defense contractors must comply with the CMMC to show they can protect federal data. Other organizations can use the CMMC to assess and improve their cybersecurity practices.

What Is CMMC Compliance?

Complying with CMMC means implementing specific security procedures and practices to achieve certification. To maintain certification, your organization must undergo an assessment. How frequently the assessments are done and who can conduct them varies by CMMC level.

Certification is often required when the DoD awards an organization a defense contract. A contractor doesn’t need CMMC certification if they only handle public information. However, contractors working with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must comply with CCMC to ensure they have the appropriate safeguards to protect this data.

Once the DoD fully implements CMMC 2.0, their requests for information (RFIs) will specify the CMMC level required for the contract. Typically, the same CMMC level also applies to any subcontractors and all organizations in the prime contractor’s supply chain. If the prime contractor only releases specific information, a lower CMMC level may apply instead.

What Are the CMMC Levels?

There are three CMMC levels — Foundational, Advanced and Expert. The DoD based all three levels on standards from the National Institute of Standards and Technology (NIST), specifically NIST SP 800-171 and NIST SP 800-172. Because the CMMC aligns with NIST standards, compliance requirements will evolve as the underlying standards change.

Complying with higher levels means providing more protection but can also mean spending more time and money to implement and monitor. However, achieving CMMC certification may be relatively simple if your organization already meets NIST standards.

Level 1 — Foundational

Level 1 CMMC compliance is likely necessary if you work with FCI. This information is not public and is used to deliver or develop a service or product for the federal government. CMMC Level 1 covers basic cybersecurity hygiene, such as keeping systems updated and managing passwords appropriately. Compliance with this level requires implementing 17 cybersecurity practices from NIST SP 800-171 and an annual self-assessment.

Level 1 is an excellent place to start if your organization is looking for a basic framework for cybersecurity best practices or if you have limited resources to dedicate to achieving and maintaining a higher level.

Level 2 — Advanced

CMMC Level 2 is equivalent to NIST SP 800-171. It includes 110 practices and processes, including risk management, access controls, physical security and incident response. Compliance requires documenting these processes and an annual self-assessment. Contractors in federal programs that involve information critical to national security must also pass an assessment from a CMMC Third-Party Assessor Organization (C3PAO) every three years.

Organizations need CMMC Level 2 certification if the following apply:

• They work with CUI, such as storing it in nonfederal systems.
• They use federal data but aren’t collecting or maintaining it.
• They use federal data but aren’t operating a system on behalf of a federal agency.
• There are no specific requirements for protecting data in the CUI category they handle.
• Their DoD contract involves critical infrastructure in the utilities, communications networks and transportation industries.

Level 3 — Expert

As noted above, CMMC Level 3 is still under development. However, it will be based on the 110 practices from NIST SP 800-171 and some additional requirements from NIST SP 800-172.

Level 3 CMMC compliance is required for contractors handling CUI associated with a high-value asset or a critical program. It includes more sophisticated processes for several categories, including information protection, threat detection and system hardening. Organizations must implement advanced processes, document these processes and report any security incidents.

The Defense Contract Management Agency will assess organizations that must meet CMMC Level 3 requirements. These government assessments will likely be every three years, but the DoD is still developing the assessment process.

The organizations that need CMMC Level 3 certification are similar to those that need Level 2. However, they need higher security assurances because they handle more sensitive CUI.

The Benefits of CMMC Compliance

Even if your organization doesn’t have to comply with CMMC, doing so can be advantageous. Here are some of the benefits of CMMC compliance:

• Improve cybersecurity: The most obvious benefit is that following this framework can help you improve your cybersecurity hygiene.
• Cover critical categories: Complying with CMMC ensures you don’t miss any essential areas. It covers several categories of cybersecurity, from asset management and training to system integrity and recovery plans.
• Improve incident response: CMMC practices provide a strong defense against cyberattacks and data breaches, but they can also help you respond better if an attack or breach does happen. Having a plan in place for data recovery and incident reporting can help you get up and running again sooner.
• Earn more business: Becoming CMMC certified can show customers that you take security seriously and help you win new defense contracts and business outside the DoD.

Trust Your Cybersecurity and Compliance to Contigo Technology

If you need to verify CMMC level compliance, Contigo Technology can work with you. Our CMMC consulting services start with a gap analysis from one of our compliance managers. Then, our Registered Practitioners (RPs) will help you close any gaps to achieve the level you need. Our RPs can also evaluate your current processes in a pre-assessment before you schedule an official assessment with a C3PAO.

Contigo Technology provides cybersecurity and IT support and consulting services in Central Texas. We include a Help Desk Icon to make it quick and easy to get support, which is unique to our company.

Reach out to learn more about how we can help you achieve CMMC compliance!