On January 31, 2020, the Department of Defense (DoD) announced the creation of the cyber security maturity model certification (CMMC) program. This is a program made up of a collection of cyber security standards like Defense Federal Acquisition Regulation Supplement (DFARS). In order to better protect controlled unclassified information (CUI) and federal contract information (FCI), the CMMC is going to be used to measure defense contractors’ security readiness.
While the measure has yet to be fully implemented, certification is expected to become the requirement by 2026. As such, if defense contractors want to continue working with the DoD, they need to be ready to comply with DoD CMMC requirements. But before certification can happen, it’s important to understand the different levels that make up the program.
Before we go any further, let’s begin by explaining what a maturity model is. A maturity model is a tool that’s used to help a person, group, or organization assess their current effectiveness. It also helps you figure out what capabilities you need to acquire next to improve your performance.
The main goal of the CMMC is to help defense contractors—like you—improve your cyber security measures to ensure CUI and FCI stays protected. The CMMC maps out cyber security best practices and procedures in a five level maturity model. The sensitivity of the information you handle determines what level you need to achieve.
Each level has practices and processes you must follow, with CMMC Level 1 being the most basic. The first level focuses mainly on basic cyber hygiene. In both Level 1 and 2, you are given access to FCI. Although FCI is not classified information, it’s not meant to be seen by the general public. You must safeguard FCI and follow the practices specified in 48 CFR 52.204-21.
While you are expected to follow the practices laid out in 48 CFR, process maturity is not assessed at this level. This means the DoD recognizes that you can perform the procedures when required, but not on a consistent basis.
The second CMMC level requirements entail documentation and an intermediate level of cyber hygiene. This level says that an organization must establish and document practices and policies that help it implement CMMC standards. The documentation of policies and practices is important because it enables your business to repeat these security measures continually.
CMMC Level 2 acts as a progression from Level 1 to Level 3. Unlike with Level 1, this level incorporates elements of the National Institute of Standards and Technology (NIST) SP 800-171. Since this is considered a transitional stage, there are a few references to protecting CUI.
To achieve CMMC Level 3, you must have good cyber hygiene. This means you follow all the requirements in NIST SP 800-171 as well as 20 additional practices. In addition, your organization must establish, maintain, and resource a plan demonstrating your management of practice implementation. For example, this may include:
- Project Plans
- Involvement With Stakeholders
If you have a DFARS clause in your contract, you need to be at least at Level 3.
This is the level where you are expected to review and measure the practices you perform to understand their effectiveness. You also have the ability to take corrective action if necessary. If you make it to Level 4, it means you have a substantial and proactive cyber security program. As a result, you are trusted with protecting CUI from advanced persistent threats (APTs).
Level 5 is the highest rung on the CMMC ladder. Once you reach this level, you have been recognized as an organization that has an advanced or progressive cyber security program. At this level, process maturity calls for the organization to standardize and optimize process implementation across the organization.
The DoD is approaching CMMC adoption slowly to give contractors enough time to make the necessary changes. Requests for information have started this year, with an estimated 15 procurements for critical DoD programs and technologies. That’s expected to rise to 75 in the next year, 250 in 2023, 325 in 2024, and 475 in 2025. For now, the first procurements are expected to act as a basis for yes or no decisions.
Compliance is the key to certification, so the first step you need to follow is determining if you’re handling CUI. After learning about the type of information you deal with, you can review where you are security wise and where you want to improve. This can provide a foundation for you to create a plan for how to enhance your security measures.
Remember that if you plan on only handling very basic information, getting to Level 1 should suffice. However, if you plan on handling CUI, you should aim to achieve Level 3 and above.
If you need reliable cyber security services, turn to the experts at RCS Secure. We specialize in the subject of cyber security and our team takes guarding your network seriously. That’s why we offer robust cyber security solutions that are tailored to the needs of your business. In addition to our security solutions, we also offer a comprehensive list of services to help you achieve compliance.
Whether you need to become CMMC, NIST, or payment card industry data security standard (PCI) compliant, we’re here to serve you. Our consultants work closely with you to steer your IT toward reaching compliance standards. From there, our team keeps your environment compliant with our continual compliance solutions.
Contact us today to get started on your journey to CMMC compliance.
RCS Secure offers a full spectrum of cyber security safeguards and services. Our services combine compliance standards expertise with cutting-edge technology to identify risks, prioritize remediation, and ensure you are both secure and compliant.