Which CMMC Levels Do I Need for My Business?

Advances in technology can bring huge benefits for your company, but they come with major risks as well. Hackers and cybercriminals are more skillful in their attacks, and the damage they can cause is more dangerous. In the face of these threats, the U.S. government has become more rigorous in its protection of data down its supply chain. Beginning in 2021, companies that want to do business with the U.S. Defense Department will need to adhere to a new set of security standards called the CMMC. 

What is CMMC compliance?

The Cybersecurity Maturity Model Certification (CMMC) is a new security and data protection standard adopted by the Defense Department, which will apply to any business that wants to bid on Defense Department contracts. Its purpose is to protect any “controlled, unclassified information” (CUI) and federal contract information (FCI) that is owned by government entities or their contractors. 

CMMC is a successor to NIST 800-171 standard, the Defense Department’s previous standard for cybersecurity. CMMC has more requirements than its predecessor, and abolishes a self-assessment option that was sufficient for compliance in years past. Now companies that want to do business with the Department of Defense (DoD) will need to prove their cybersecurity posture via an outside audit. If they don’t, they will lose eligibility to bid on DoD contracts.

Why does my business need to become CMMC compliant?

If you are currently doing business with the DoD, you will need to achieve CMMC compliance eventually — and that’s true for contractors and subcontractors alike. Large, “prime” contractors will go first, with compliance deadlines in 2021, but by 2026 all contractors and subcontractors will need to meet CMMC standards if they wish to do business with the Defense Department in the future.

CMMC certification will be managed by a new institution called the CMMC Accreditation Body (CMMC-AB). This organization will accredit independent assessors, who will then evaluate companies’ compliance. CMMC has five levels of compliance; the level you must reach depends on the type of data you will need to access to fulfill the obligations of your contract. If you are a vendor with little access to confidential information then Level 1 should be sufficient. If your company sells software that is used to navigate tanks or aircrafts, you will likely need to reach Level 5. The necessary minimum CMMC level for any given contract will be stated in the DoD’s Request For Proposal (RFP).

What are the five CMMC levels?  

CMMC is grouped into five “maturity levels” of increasing complexity and sophistication. In total, the various levels encompass 171 practices (the tasks you must accomplish in order to be certified, also referred to as controls); which are grouped into 43 categories known as capabilities. 

The capabilities, in turn, are grouped into 17 domains such as Risk Management, Security Assessment, Awareness and Training, and so forth. Fourteen of these domains were a part of previous security requirements; CMMC introduces three additional ones: Situational Awareness, Asset Management, and Recovery.

Below is a list of the five levels and examples of actions you will need to take to achieve certification for each. 

Level 1: Basic Cyber Hygiene/Performed 

Level 1 requires 17 practices and no processes. It encompasses the most basic procedures for safeguarding data, including steps you might take for granted: implementing individual user accounts, making sure your network is private, and using strong passwords that have been changed from the defaults, for example. 

The requirements in Level 1 are taken from previous standards, which should make it easier for most companies to obtain this basic level. If you’ve previously done business with the DoD you’re probably already compliant with these requirements, but you will still need to be certified to move forward. 

Level 2: Intermediate Cyber Hygiene/Documented 

Level 2 requires 72 practices, and at this level processes are also added. This means that it isn’t sufficient simply to follow the rules; you must also prove that you are taking steps to embed the rules into the fabric of your company. The focus also begins to move beyond basic protections to the specific protection of CUI.

That said, Level 2 isn’t likely to be sufficient for most government contracts. Level 2 was designed more as a bridge between the basic requirements of Level 1 and the more robust security of Level 3. 

In Level 2 there are two processes that span across 15 of the 17 domains: 

• Process 1: Establish a policy for each domain. 
• Process 2: Documentation of all practices for each domain. 

For example, for Awareness and Training, a company might establish its policy by creating a framework for how staff will be trained in cybersecurity measures, which is then documented and distributed throughout the organization. 

Level 3: Good Cyber Hygiene/Managed

Level 3 requires 130 practices. Level 3 moves the focus completely to CUI and the necessary security steps that it requires. This level also adds two more domains: asset management and situational awareness. In addition, the number of required practices jumps to include the 110 practices required from NIST SP 800-171, upon which CMMC was founded, along with an additional 20 practices beyond that standard. 

Level 3 also adds a third process, which requires companies to create a specific plan for each domain. These plans include goals and objectives, a timeline for execution, and the inclusion of senior management. 

For example, one of the practices added at Level 3 is “Detect and Report Events.” For this practice, a company might implement a Plan of Actions and Milestones that indicates how it will monitor threats and the procedures in place to report threats when they occur. 

Level 4: Proactive Cyber Hygiene/Reviewed 

Level 4 requires 156 practices. Like Level 2, Level 4 is also considered a bridge level; most companies that achieve this level will use it as a stepping stone to Level 5. Level 4 also integrates more cooperation and visibility from senior management at your company as preparation for moving to the final level of compliance. 

CMMC Level 4 shifts the focus to protection against advanced persistent threats, or APTs. An APT is an advanced cybertheft technique that involves stealing information over a long period of time to evade detection. These tactics, techniques, and procedures (known as TTPs) can be particularly difficult to prevent and subvert, so protections against them are extremely important when dealing with the sensitive data used in government contracts.

The process added at Level 4 requires organizations to regularly review their practices and determine whether those practices are effective. This includes the creation of metrics that will measure your progress and the examination of your original plan to find out if it succeeded. For example, the practices related to the Audit and Accountability domain require the creation of audit logs to identify TTPs, and that the information from those audits be reviewed regularly. 

Level 5: Advanced Cyber Hygiene/Optimizing 

Level 5 incorporates all 171 practices. This final level maintains the concentration on CUI protection from Level 4 and also adds a requirement for standardization of procedures and consistent optimization. Level 5 is the highest and strictest, and requires constant upkeep to maintain certification. Level 5 companies need to be flexible to stay vigilant in the face of changing risks.

The process added at Level 5 requires that a company’s security system be standardized across all affected units, and the company must assure optimization of the practices from each previous level. This optimization can be achieved by observing the reviews from Level 4 and altering your security system as needed to keep up with new and changing cyberthreats. Companies are given a certain amount of freedom in designing their own programs, which means that documentation of all procedures is required for full compliance. 

How soon do I have to become CMMC compliant?

For now, CMMC and NIST 800-171 will be used simultaneously. The new requirements are in effect as of 2021, but companies have until 2025 to become fully compliant. This grace period will allow companies currently engaging in government contracts time to bring their operations up to the new standards, and give new companies an opportunity to learn and implement the CMMC requirements. 

CMMC compliance is new territory, and if the process sounds overwhelming, there are people who can help. It can be difficult to navigate new compliance requirements if you’re still using outdated techniques to track your risk management program. 

ZenGRC is a platform that allows you to streamline your compliance efforts, assuring that your processes are accounted for and that redundancies are eliminated. This gives you more time to grow your business with the knowledge that your company’s security is on track. Schedule a demo today and learn more about how ZenGRC can help your organization succeed.