The Department of Defense created the Cybersecurity Maturity Model Certification (CMMC) framework to standardize cybersecurity practices throughout the Defense Industrial Base (DIB). CMMC is designed to increase defense contractors’ accountability and compliance with existing DoD regulations.
CMMC has three levels. Once CMMC becomes law, all defense contractors—primes and subs—will need to achieve the CMMC level specified in their DoD contract. This blog explains the three CMMC levels and offers tips on how your organization can achieve the CMMC level it needs to continue to do business with the DoD.
CMMC levels explained
- Level 1 (Foundational) is for organizations working with Federal Contract Information (FCI) only. FCI is information not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government. Emails exchanged with the DoD or another contractor in the supply chain and delivery schedules are examples of FCI. Note that every DoD contract contains FCI, as that also encompasses proposal and contract information—meaning that every contractor will need to achieve at least Level 1.
- Level 2 (Advanced) is for organizations working with Controlled Unclassified Information (CUI). CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with federal law, regulations, and government-wide policies. Engineering drawings, technical orders, and research data related to military or space applications are examples of CUI.
- Level 3 (Expert) is for organizations working with CUI on our nation’s most critical defense programs, such as designing and developing fighter jets or nuclear submarines. Relatively few organizations will need to achieve Level 3 (see related sidebar).
Your contract—either directly with DoD or with a contractor above you in the supply chain—will specify which CMMC maturity level you need to achieve.
The DoD estimates that the approximately 220,000 organizations in the Defense Industrial Base (DIB) will breakdown into CMMC levels as follows:
CMMC requirements by level
CMMC will standardize the implementation of security controls and compliance assessments at each maturity level.
CMMC Level 1 (Foundational)
At Level 1, organizations must demonstrate performance of basic cyber hygiene practices to protect FCI.
Level 1 requirements are specified in Federal Acquisition Regulation (FAR) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. That clause identifies 17 cyber hygiene practices distributed across six domains. Those six domains are:
- Access Control
- Identification and Authentication
- Media Protection
- Physical Protection
- System and Communication Protections
- System and Information Integrity
Organizations at Level 1 will need to conduct an annual self-assessment of their compliance with Level 1 requirements.
CMMC Level 2 (Advanced)
At Level 2, organizations must demonstrate that they have an institutionalized management plan to securely store, process and transmit CUI. The DoD considers work that involves handling CUI—for example, building parts for a weapons system—to be critical to US national security. Likewise, such contracts are subject to more stringent cybersecurity regulations than those that entail just FCI at Level 1.
Level 2 practice requirements align with NIST SP 800-171, Protecting Controlled Unclassified Information [CUI] in Nonfederal Systems and Organizations. NIST SP 800-171 identifies 110 cybersecurity controls distributed across 14 domains, including the six noted above for Level 1 plus an additional eight domains.
Note too that the DoD’s assessment methodology for compliance with NIST SP 800-171 specifies objectives associated with each control. There are 320 objectives distributed across the 110 NIST SP 800-171 security controls. Every objective associated with a control must be met for that control to be satisfied, as illustrated in Figure 1:
The foundational requirement for NIST SP 800-171 compliance is development of a System Security Plan (SSP) detailing the policies and procedures your organization has in place to comply with the 110 NIST SP 800-171 controls. The SSP is a prerequisite for consideration for any DoD contract. Additionally, for any controls not met, you’ll need to develop a Plan of Action & Milestones (POA&M) indicating by what date those security gaps will be closed.
Organizations at Level 2 will be required to undergo independent assessments of their compliance once every three years., Those assessments will be conducted by a certified CMMC Third Party Assessment Organization (C3PAO). Note that DoD has considered a bifurcation of Level 2 that would permit organizations that handle CUI but work on non-prioritized DoD acquisitions to conduct annual self-assessments, as opposed to undergoing C3PAO assessments. A final decision has not yet been made in this regard.
CMMC Level 3 (Expert)
To achieve Level 3, organizations must not only meet Level 2 standards, but surpass them by having optimized processes in place along with enhanced practices that detect and respond to changing tactics, techniques and procedures of advanced persistent threats (APTs). An APT is an adversary that possesses sophisticated levels of cyber expertise and significant resources to conduct attacks from multiple vectors.
Level 3 security requirements, while not yet finalized, are expected to be based on NIST SP 800-171’s 110 controls—the same as Level 2—plus an estimated 20 controls from NIST SP 800-172, for a total of approximately 130 controls.
Relatively few organizations will need to achieve Level 3. As noted above, DoD has estimated that roughly 500 organizations in its supply chain will be held to this standard. That represents less than 0.3% of the DIB—generally, the nation’s largest prime contractors with multi-billion dollar DoD contracts for massive projects such as aircraft carriers, rockets, and command and control communications systems.
Organizations at Level 3 will be required to undergo independent assessments of their compliance once every three years. Those assessments will be conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the DoD’s ultimate authority on compliance.
How to achieve CMMC compliance
To attain Level 1 certification, organizations need to meet basic cyber hygiene requirements. Level 2 certification efforts should start with compliance with NIST SP 800-171. The same is true for Level 3—although additional, more sophisticated cybersecurity practices will need to be fully implemented to achieve the highest CMMC level.
All organizations that handle CUI will need to achieve at least Level 2, our focus here. The path to CMMC Level 2 certification can be made more manageable by breaking it down into four phases. Focusing on the key steps within each phase will help your organization move forward faster and more cost effectively.
CMMC and your business
CMMC is steadily working its way through the Federal rulemaking process toward implementation. In the meantime, it’s a mistake to wait until CMMC requirements appear in defense contracts to start work on raising your cybersecurity levels. Experts estimate that it can take an organization 12-18 months to prepare for a CMMC Level 2 assessment.
Organizations that are well-positioned to achieve CMMC certification when that time comes are the ones that will win defense contracts and stay in business.
The fact is that organizations that handle CUI already are contractually obligated to implement NIST SP 800-171’s 110 security controls, which CMMC Level 2 will mirror. And the DoD—with stricter contractual oversight and increased audits—and the Department of Justice—with its active Civil Cyber-Fraud Initiative—have issued wake-up calls to the DIB. Their message is loud and clear: The most prudent move defense contractors can make to safeguard the long-term viability of their business is to start now to improve their cybersecurity compliance.
Organizations will need to achieve the CMMC level appropriate to their work if they wish to do business with the DoD. For the majority of defense contractors, that means implementing 17 basic cyber hygiene practices to meet Level 1 requirements. The remaining organizations in the DIB handle CUI as part of their DoD work and so will need to achieve at least Level 2 certification once CMMC is implemented.
PreVeil can help your organization achieve CMMC Level 2. Its secure file sharing and email platform supports 260 of the 320 NIST SP 800-171 assessment objectives, and 102 of the 110 NIST SP 800-171 security controls. PreVeil is easy to deploy and use and is a fraction of the cost of alternatives. Once PreVeil is deployed, your organization will be well on its way toward NIST SP 800-171 compliance and CMMC Level 2 certification when that time comes.
To learn more:
If you need help or have questions about CMMC, NIST SP 800-171, or any other topics, please don’t hesitate to reach out and schedule a free 15-minute consultation with our compliance team.
Or you may wish to learn more by reading PreVeil’s white papers and blogs:
- Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0)
- NIST SP 800-171 Compliance: Improving Cybersecurity and Raising Your SPRS Score
- Case Study: Defense contractor achieves 110/110 score in NIST SP 800-171 DoD audit
- CMMC Compliance Checklist: 12 Steps to Help You Get Ready for CMMC
- Who is responsible for protecting CUI?
- CMMC Assessment Guide
- CMMC in Rulemaking: Why Defense Contractors Should Start on Compliance Now
- What is DFARS 252.204-7012 and Why is it Important?
Or learn more by watching our videos: