A Guide to Cybersecurity Maturity Model Certification (CMMC) Levels
Introduction to CMMC Levels
For contractors who work with the Department of Defense (DoD) and are preparing for the required Cybersecurity Maturity Model Certification (CMMC) assessment, it's important to understand the three levels that make up the maturity model. They are not always well understood but well worth knowing. Consider this your guide to CMMC levels.
CMMC is a certification program introduced to improve supply chain security in the defense industrial base (DIB). By the end of 2025, the DoD will require all contractors to be certified to one of the three CMMC levels.
"CMMC is a unified standard that takes into account the various information security standards and best practices that need to be implemented within the defense industrial base supply chain to protect federal contract information and controlled unclassified information," says Rhia Dancel, Information Security Technical Manager with NSF-ISR.
Dancel's NSF-ISR colleague and fellow information security expert, Tony Giles describes it this way: "The DoD and its supply chain are keen to see organizations meet this mandated information security standard as soon as possible to further protect U.S. national security."
Cybersecurity practices in CMMC 2.0 align with NIST 800-171 for Level 1 and Level 2.
The Three CMMC Levels Explained
The required certification level will be determined by the specific kind of information a company handles and the type of work it does. The specific level of certification will be spelled out in all new DoD contracts. If a supplier is not certified at the specified level, the company cannot bid on the DoD business.
For DoD contractors, the key question is: What level of certification will my organization be required to achieve?
The answer depends on the type of data exchanged or created by the DoD contract(s). There are three broad categories of information: public information, federal contract information (FCI) and controlled unclassified information (CUI).
Public Information: No CMMC Certification Level Required
Public information is described as data identified as "public release approved" or similar, or unmarked information available from an uncontrolled, publicly available government source. That would include, for example, government reports on industrial output forecasts intended for general release and publication.
Handling public information does not require any special handling or controls, and it's not included in official CMMC published guidelines. Meaning contractors working only with public information to fulfill their work for the DoD will not require CMMC certification.
Federal Contract Information (FCI): CMMC Level 1 Certification Likely
FCI is information that is not intended for public release. The designation is typically included in document markings or indicated in the contract. FCI, however, does not include basic accounting and transaction information required for invoicing and receiving payments.
If a DoD contractor requires only FCI data as part of defense work being done, they will likely need to achieve Level 1 CMMC certification. Level 1 includes 17 cybersecurity practices and allows for an annual self-assessment.
Controlled Unclassified Information (CUI): Requires At Least CMMC Level 2 Certification
CUI is FCI that comes with additional guidance related to special safeguarding or handling controls. CUI should be clearly marked and defined in the DoD contract. Instructions for identifying and handling CUI can be found in the NIST Special Publication 800-171.
If a contractor does work for the DoD that includes sharing and processing CUI data, the contracted organization is required to achieve at least a CMMC Level 2 certification. This level requires compliance with all 110 practices in Levels 1 and 2.
"Level 1 is foundational cyber hygiene and includes 17 practices. Dancel says. "Level 2 is advanced cyber hygiene which aligns with NIST 800-171. Level 3 is expert and includes not only NIST 800-171 controls but also a subset of NIST 800-172 controls."
In December 2021, the DoD released CMMC 2.0 Assessment Guide - Level 1 and CMMC 2.0 Assessment Guide - Level 2. These documents define and explain CMMC compliance requirements. Assessors will rely on these guides during the assessment process, and DoD suppliers can also use them to prepare.
Note that CMMC also defines requirements for Level 3, but the assessment guide has yet to be published.
CMMC 2.0 Framework and Levels
The CMMC 2.0 framework includes cybersecurity best practices across 17 domains. A domain, in the context of a network, refers to a group of users, workstations, devices, printers, computers and database servers that share different types of data across the network.
The three CMMC levels include defined practices. Not all information is equally sensitive, and employees may have different access permissions. Reaching higher CMMC levels improves a firm's capacity to protect CUI.
Foundational Cyber Hygiene Practice: This level requires basic cybersecurity protocols deployed by most companies. To reach Level 1, firms need to implement 17 NIST SP 800-171 Rev2 controls.
Advanced Cyber Hygiene Practice: This level requires all 110 NIST SP 800-171 Rev2 controls to achieve Level 2 certification.
Expert Practice: This level includes advanced cybersecurity processes implemented, reviewed and updated across the enterprise. Companies need to implement all NIST 800-171 controls plus an additional subset of NIST 800-172 controls.
Level 1-3 Summary
Level 1 reflect the basic approach most companies use. Level 2 refers to DoD cybersecurity requirements in NIST SP 800-171 Rev2. Requirements for Level 3 meet the standards of NIST 800-171 along with a portion of NIST SP 800-172. The controls are consistent with security measures many contractors use.
|Foundational Cyber Hygiene
Contractors should bear in mind that these are all definitions and guidelines. An organization's DoD contracting officer is the ultimate authority for determining the CMMC certification level. They are also the best person to answer questions related to how protected information should be handled under any given contract.
The Benefits of CMMC Compliance
Under the new CMMC 2.0 requirements, contractors who are certified have a distinct competitive advantage within the defense industrial base (DIB), which includes an estimated 350,000 suppliers. Proactive defense contractors will start the certification process even before a request for proposal (RFP) is initiated.
When it comes to multi-year contracts, companies that are CMMC compliant early in the process will be in a better position to secure these contracts. Firms that wait until the last minute will likely have fewer contract opportunities.
Aside from contracts and revenue, the largest benefit is CMMC certified suppliers will be better prepared against cybersecurity attacks and data breaches, having implemented network information security protocols consistent with industry best practices. This benefit can further protect an organization's reputation and could extend to contracts outside of the DoD.
Dancel offers her perspective: "I think many organizations are already inherently protecting their information and data. So, adding this other layer of technical controls and documentation will only enhance the security measures they have already implemented."
A Smart Approach to CMMC
Contractors who plan on continuing to work with the DoD recognize CMMC requires a higher level of cybersecurity measures. The rigorous process will also have the effect of forcing out suppliers, either not interested or unable, to meet the information security requirements mandated by CMMC.
Some suppliers will lose the opportunity to bid on DoD contracts, but for savvy contractors willing to undertake certification steps, those opportunities will still be available. Also, as with any new, large-scale, multi-year government program, changes will be a reoccurring part of the process, especially in the early part of the five-year rollout that started in 2020.
Motivated DoD suppliers will stay informed about CMMC, take changes in stride and be proactive in order to achieve early certification. These organizations recognize as contracts with CMMC requirements are announced and RFPs are published, early CMMC certification will open doors that may well be closed to their non-compliant competitors.