In response to the growing number of cyber threats that continue to plague organizations, the Department of Defense (DoD) has implemented the Cybersecurity Maturity Model Certification (CMMC) to ensure that the Defense Industrial Base suppliers are adequately protecting sensitive data known as Controlled Unclassified Information (CUI). One weak link in the DoD’s supply chain can compromise national security.
The CMMC model ensures that DoD Contractors, and any other organizations within their supply chain, have been certified that the systems and practices they have in place meet the specific certification-level cybersecurity requirements for the data they are handling.
Prior to the implementation of the CMMC, the DoD still required its contractors to adhere to existing security standards, such as the NIST 800-171, however, these contractors could self-attest that they were compliant.
In this blog post, we'll explore each of the five levels.
Level 1: Basic Cyber Hygiene
Level 1 focuses on safeguarding information based on requirements set forth on 48 CFR 52.204-21. Contractors looking to achieve a Level 1 status need to have basic cybersecurity controls in place, such as using using antivirus software, having physical security around computer equipment, and using unique user accounts for each individual and requiring users do frequent password changes.
Rather than handling CUI, these organizations are more likely to deal with Federal Contract Information (FCI). There is no requirement for assessment of process maturity at this level.
Level 1 certification requires compliance with 17 practices as defined in the CMMC model. These 17 required practices for Level 1 certification fall under a few specific domains which are Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection and System and Information Integrity.
Level 2: Intermediate Cyber Hygiene
Level 2 acts as a transitional step, as companies need to expand their scope from protecting FCI to protecting CUI. Organizations looking to obtain Level 2 certification need to protect CUI under specific guidelines set forth in NIST SP 800-171.
The main transition between Level 1 and Level 2 is the inclusion of a maturity model. This model requires the organization to establish and document policies, procedures, and other strategic plans surrounding IT security.
Level 2 certification requires compliance with 65 NIST 800-171 requirements, including 7 other practices. In addition to the steps referenced for level compliance, organizations seeking Level 2 completion must document the specific policies and procedures they have in place for carrying out these practices. These practices fall into 15 domains. In addition to complying with practices in domains for Level 1 certification, organizations seeking Level 2 certification must comply with additional practices falling into domains such as Audit and Accountability, Awareness and Training, Configuration Management, Incident Response, Maintenance, Personnel Security, Recovery, Risk Management and Security Assessment.
Level 3: Good Cyber Hygiene
In order to achieve Level 3 status, an organization must comply with various standards and controls across multiple frameworks, including all security requirements of NIST 800-171 and DFARS Clause 252.204.7012.
Organizations seeking to gain Level 3 certification must demonstrate that they have implemented effective security controls and that they have the ability to protect CUI. In relation to the maturity process, the organization must essentially prove that they have successfully implemented and are adhering to policies, procedures, and plans implemented in Level 2.
Level 3 certification requires compliance with 110 NIST 800-171 requirements, plus 20 other practices, falling into all the CMMC domains. Over and above the domains for Level 1 and 2, required controls for Level 3 fall into the remaining domains as well, which are Asset Management and Situational Awareness.
Level 4: Proactive
Level 4 certification deals largely with protecting CUI from Advanced Persistent Threats, which are generally nation-state sponsored threat actors who are highly dangerous to the nation's security. Organizations hoping to achieve this level of certification must demonstrate that they have proactive measures in place to safeguard CUI from stealthy adversaries known as APTs.
These proactive measures must allow the organization to adapt to evolving tactics, techniques, and procedures (TTPs) used by nefarious actors. In terms of the maturity process, a Level 4 organization must be able to review activities and procedures for effectiveness and must also have a procedure for informing management of issues or deficiencies. Level 4 certification requires compliance with 110 NIST 800-171 Requirements plus 46 other practices, falling within all 17 domains of the CMMC model.
Level 5: Advanced/Progressive
Organizations looking to achieve Level 5 certification must have an advanced or progressive cybersecurity program in place that optimizes cybersecurity capabilities.
These organizations must implement sophisticated tools and processes to repel threats brought on by APTs. In the maturity process, these organizations can demonstrate that they have standardized activities across all individual units and have the ability to identify and share improvements.
Level 5 certification requires compliance with 110 NIST 800-171 Requirements plus 61 other practices falling into all 17 domains of the CMMC model. The organization must comply with all practices and capabilities covering all domains of the CMMC model.
Level 5 certification automatically implies that the contractor meets ALL of the criteria set by the CMMC including all requirements at Levels 1, 2, 3 and 4.
In addition to the 5 levels, the CMMC is composed of 17 domains and 171 practices, most of which are part of the NIST SP 800-171 requirements.
The domains are farther broken down into capabilities, with only certain capabilities required for each level. Organizations that are looking to achieve Level 5 certification must comply with all 171 practices.
The following infographic gives a brief outline of how many practices are associated with each level. While navigating the CMMC is a complex process, it's advisable to turn to compliance experts like the team at 24By7Security to go through any of your questions.
24By7Security is a Registered Provider Organization (RPO), certified by the CMMC Accreditation Body (CMMC-AB), fully qualified and trained to provide CMMC readiness services and help contractors in the Defense Industrial Base on their path to certification against the CMMC standard.
Learn more about our CMMC Readiness Services by clicking on this link.