Explaining the Department of Defense’s (DoD) CMMC Requirements

Understanding the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) is important for businesses in many industries who could potentially work with a DoD contract. It’s critical to know what is needed of you to obtain and fulfil these contracts successfully.

The Need for CMMC for the DoD

CMMC was created to establish a single set of guidelines for contractors who work with the Department of Defense and to help the DoD determine the preparedness of organizations to handle Controlled but Unclassified Information (CUI).

Cybercriminals know that most contractors have weaker cybersecurity systems than the DoD, especially smaller companies, so these companies must have the necessary systems in place to ensure this information’s security.

The requirements listed for each level of CMMC compliance determine if a business has the necessary security protocols and practices in place to protect sensitive data while fulfilling a contract with the DoD.

Any business working on DoD contracts that has a CMMC requirement must adhere to the designated level of compliance based on the needs of that contract and the information being handled. This is because government information becomes more vulnerable when being transferred and used by businesses during contract work and must be protected to avoid being leaked or stolen.

Controlled Unclassified Information (CUI) and Federal Contract Information (FCI)

There are two types of information that need to be protected when in use by a contractor or subcontractor working with the Department of Defense:

1. Controlled Unclassified Information (CUI): This highly sensitive class of government information requires at least level 2 for CMMC 2.0 and can sometimes require levels above that depending on the requirements of the contract.

2. Federal Contract Information (FCI): FCI is non-public information that is less valuable in the eyes of the DoD and requires lower levels of CMMC compliance. For FCI, only level 1 of both CMMC 1.0 and 2.0 are required as a starting place. Depending on the contract, CMMC 1.0 level 2 could also be needed.

CMMC 2.0 Requirements

CMMC was formerly divided up into 5 distinct levels (known as CMMC 1.0). But, the future of CMMC—which will be instated at a yet-to-be-determined date—is CMMC 2.0 which streamlines 1.0’s levels system, reducing them to 3 and lowering the required practices. Take note of the key differences in this graphic:

For CMMC 2.0, here’s a breakdown:

Level 1 (Foundational): The first level of CMMC 2.0 contains 17 security practices and can handle only FCI. This level of compliance requires an annual self-assessment.

Level 2 (Advanced): The second level requires 110 practices and can handle both CUI and FCI. Organizations that handle critical national security information like CUI are required to have triennial third-party assessments. Organizations handling less valuable information are only required to perform an annual self-assessment. This will be decided by the DoD’s Contracting Officer and will be detailed in the contract itself.

Level 3 (Expert): The exact details of Level 3 have not yet been concretely defined and will be confirmed after the final rulemaking process is complete. But, this will be the highest level of CMMC 2.0 contains 110+ practices, and businesses that meet this level can handle the most sensitive DoD information needed to perform contractual work. This level requires a triennial government-led assessment to achieve.

In Conclusion

The DoD’s CMMC requirements can be complicated for businesses to stay on top of and understand, especially with CMMC 2.0 on the horizon.

How prepared are you for a CMMC assessment? Do you have the security practices implemented to pass? Use this checklist to see how businesses can prepare for a CMMC assessment.