Those who have been following the CMMC over the past months know by now that CMMC is designed to measure a company’s ability to protect FCI (Federal Contract Information) and CUI (Controlled Unclassified Information). It outlines five levels of cybersecurity maturity, ranging from basic cyber hygiene practices at Level 1 to highly advanced practices and processes at Level 5. The Department of Defense (DoD) will specify which of these levels companies in the DIB must meet in order to bid on a specific contract.
The 5 levels of CMMC go from basic cyber hygiene at level 1 to advanced practices and processes at level 5
Katie Arrington however has noted on several occasions that she’d be surprised to see Level 2 on any contract for the DIB. So, why does CMMC has a Level 2 if the DoD never meant for this level to appear in a contract?
A few weeks ago, PreVeil spoke with Bernhard Bock, CISO at SysArc to ask him this very question. Bernhard and SysArc have been actively involved in commenting on and shaping the language of CMMC since the framework first came out. Below is the transcript of PreVeil’s conversation with him. It has been edited for brevity and clarity.
PreVeil: Let me start off by asking where does the thinking come from that led to having level 2?
Bernhard: I believe Katie and her team were influenced by the five levels of the Capability Maturity Model Integration (CMMI) which was developed at Carnegie Mellon University – the same institution that, along with Johns Hopkins, was responsible for much of the thinking that went into CMMC. CMMI is required by many US Government contracts, especially in software development and provides guidance for developing or improving processes that meet the business goals of an organization. CMMI defines the maturity levels for processes as Initial, Managed, Defined, Quantitatively Managed, and Optimizing. This is very much in line with how CMMC defines progress of cybersecurity maturity.
PreVeil: CMMC Level 2 is defined as intermediate cybersecurity hygiene. It requires organizations establishes practices and policies to guide CMMC efforts. It’s further defined as a transitional stage for protecting CUI. It seems like this might be an important level of cyber maturity for some companies. So, why has Katie said that Level 2 will never be in a contract?
Bernhard: Level 2 really was always meant as a steppingstone. It is meant to provide an intermediate goal as contractors go from level 1 to level 3. It comes up from doing basic stuff and doing it ad hoc in level 1. However, in level 3 a company has policies. No one has policies out of the blue. You need standard operating procedures and alike. So level 2 provides the intermediary step that allows companies to get their act together and take the last push that will get them to level 3.
In level 2, you are no longer ad hoc but you are not measuring against a standard yet. The next step is to measure and manage practices against the CMMC framework and have good cyber hygiene in place. That’s level 3.
PreVeil: Why would a contractor ever want to be a level 2?
Bernhard: Well, this is anecdotal, it’s thought that if some contract only requires a level 1 and if a company bidding has a level 2, then that company would have an advantage over competitors in getting the contract. Additionally, level 2 is relatively easy to achieve. Looking at the practices in level 2, a number of controls don’t really require any changes to your network.
AC.2.09 says Limit unsuccessful logon attempts.
AC.2.10 says Use session lock with pattern-hiding displays
AC.2.11 Authorize wireless access prior to allowing such connections
None of these have any significant cost associated with them and have a limited impact on your network.
PreVeil: Is it fair to say that most companies are already at level 2?
Bernhard: Most companies, particularly those with managed service providers handling their basic IT, are basically there. There should be little to no cost tweaks to get to level 2.
And I think this is where Katie has been going when she has said that level 1 should be free. Level 1 is the normal cost of doing business when you have an IT system. Level 2 is just tweaking level 1.
PreVeil: What is the challenge of Level 2. Why can’t we say that everyone will be there, in say, 3 months?
Bernhard: They could be there. Level 1 is having basic security in place. Level 2 is tweaking it to be more efficient. Level 3 is adding that extra step to bring in good cyber hygiene. There is little reason why if you are at level 1 you cannot get to level 2. Getting to level 2 is just a bit of work.
PreVeil: So, why do we have CUI appearing in level 2? If we want to protect controlled unclassified information, then we shouldn’t allow contractors without good cyber hygiene to access CUI.
Bernhard: The reality is that you essentially have two types of contractors. There are those who are just selling products out of their public service catalog. There’s no contract specific intellectual property involved in what they sell. For example, they sell standard hammers and nails that don’t have any changes to the underlying product. They would be Level 1 contractors.
The second type of contractor is one who handles CUI. As soon as the contractor has to make any modification to the hammer or nail in order to meet the demands of a contract, then it becomes CUI because there’s IP involved. The contractors handling this second type need to have a level 3 certification. There really is nothing in between these two levels.
Again, they add CUI here at level 2 because they wanted to make it a nice steppingstone.
PreVeil: The way you are describing it level 2 could go away in the future.
Bernhard I think it could go away because it’s pretty useless. There’s not much space between pulling something out of the catalog and making it useful as you do in level 3. Level 2 isn’t good for anything other than being a transitory goal to achieve to get you to level 3. The level 2 contractor couldn’t handle the modified hammer and nails.
PreVeil: Have any of your customers asked you about level 2?
Bernhard: My customers mainly ask me about level 4. My customers are working on developing level 4 capabilities. They are asking what do I need to do to become more competitive in case I want to bid on level 3 contracts.
PreVeil: If you were advising a company that’s currently at level 1 and wants to get to level 3, would you tell them to look at level 2 as an intermediary step?
Bernhard: If the contractor is currently at level 1 and they want to get to 3, I would tell them to focus on level 3. Most likely Level 2 contracts will be not existent. It’s just a milestone. You just need to complete the level 2 to get to level 3.
PreVeil: What are the big lessons here?
Bernhard: Level 2 again is just a steppingstone. It is not really a place where company can market itself. Companies in the DIB should strive for 3.
Level 1 is a security mindset that is 15 years old. With level 1, you just have security managed at perimeter plus antivirus and patching. Today, we should really have companies in the DIB focused on thinking about level 3. Level 3 is where you need to know your network. The company needs to know their assets and configuration managements and have its network secured by auditing so changes can be tracked. This is where DoD really wants contractors to go.
PreVeil: Bernhard, you have taught us a lot. Thank you very much for your time.
Bernhard: Thank you.
Learn more about how PreVeil can facilitate your compliance with CMMC. Download our whitepaper!