February 08, 2022
When working with the Department of Defense (DoD), a certain level of cybersecurity is expected to safeguard critical information.
The government measures the security maturity of its contractors and sub-contractors with CMMC controls that establish a baseline for businesses to achieve in order to work on government contracts and handle sensitive information.
The Cybersecurity Maturity Model Certification (CMMC) is a compliance framework that helps the Department of Defense determine the preparedness of organizations to Controlled but Unclassified Information (CUI).
These CMMC requirements determine if businesses have the necessary security protocols and practices to protect potentially vulnerable data.
CMMC was created to measure the maturity levels of an organization’s cybersecurity standing.
These requirements are split into three levels and companies who wish to obtain or support DoD contracts need to be CMMC rated and become certified at whichever level is necessary for the specific contract they seek.
CMMC certification will be required for any business or manufacturer working on DoD contracts that have a CMMC requirement. Prime contractors will be responsible for ensuring a subcontractor's CMMC compliance.
Essentially, companies who work with the DoD and are handling different types of sensitive information that represents a significant security risk if leaked or stolen will have to comply with CMMC requirements.
Hackers know that it is easier to get this data from smaller companies further down the supply chain without the security resources of the US government, so these businesses become a big target when handling sensitive information.
That’s why the DoD requires that these businesses meet the requirements of CMMC compliance to obtain and fulfill contracts.
There are two types of information that the DoD is looking to protect with its CMMC program; Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
CUI is more sensitive and requires a higher CMMC level to handle. It’s defined as information that is not classified but requires safeguarding due to government policies, laws, or ordinances.
FCI is information pertaining to federal contracts.
CMMC is split into distinct levels (1-3) of compliance. Companies must certify or be certified at specified levels if they want to work with more sensitive information.
For example, CMMC Level 1 compliance works with FCI and Level 3 with CUI, i.e. more valuable information that requires stronger cybersecurity practices to ensure protection.
Companies that don’t work with the government or only handle public information technically do not need to meet the CMMC regulations unless they are looking to one day obtain a DoD contract that deals with more sensitive information. CMMC does not address requirements for working with any type of classified data.
But the basic principles of CMMC are rooted in cybersecurity best practices that every organization should be looking to implement in any event. CMMC is based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 rev 2.
It is typically in the best interests of most companies to achieve CMMC compliance on their own to know that they are meeting a certain quality of cybersecurity within their organization.
The first level of CMMC established guidelines for basic cybersecurity hygiene for businesses and is the foundation that the other levels are based upon.
Level 1 consists of 17 security best practices and companies must conduct an annual self-assessment to ensure compliance (and risk large penalties if found not compliant). This self-assessment is attested by the CEO, President, or Owner of the company.
Level 1 establishes many basic cybersecurity best practices like password protection, basic security systems, and antivirus software. Level 1 CMMC certification is designed to protect FCI.
Level 2 takes the 17 security practices from Level 1 and adds an additional 93, totaling 110. Level 2 compliance requires a certified third-party assessment every three years.
With 110+ controls required to meet these standards, Level 3 is the toughest to achieve and requires government-led assessments every three years.
Level 3 takes a more proactive approach to cybersecurity, requiring technology that can detect and mitigate threats before they begin.
CMMC Level 3 prepares businesses for the complete protection of both CUI and FCI.
The steps to obtaining a CMMC certification depend largely on which level of CMMC compliance a business needs to achieve.
If only Level 1, a self-assessment is enough to claim certification. For Levels 2 and 3, a third party or DoD assessment is needed from a certified source in order to achieve certification.
Once achieved, a CMMC certification is valid until the next assessment is required. For Level 1, this is every year; for levels 2 and 3, this is every three years.
The DoD, or other government agencies, will determine which level of CMMC certification a company needs for a particular contract.
If you’re looking to do business or obtain contracts with the Department of Defense, acquiring the appropriate level of CMMC certification is a must. Even if you don’t currently work with the government, it’s generally a good idea to strive to achieve the standards of at least Level 1 which sets a solid foundation for healthy cybersecurity best practices within an organization.
If you need help identifying what you need to become CMMC certified or want to learn more about building a strong security culture in your business, contact DOT Security today to speak with an expert who can help you get started.