According to the DoD, the loss of controlled unclassified information (CUI) from the Defense Industrial Base (DIB) has led to increased risk for our economy and national security (Source). In order to mitigate this risk, the need for a framework of compliance is needed to enhance the protection of CUI. The Cyber Security Maturity Model Certification (CMMC) is the result of this. There are five levels of CMMC Compliance. Companies that wish to retain contracts with the DoD will be required to receive compliance of a certain level which will be stated in the contract information. Majority of contracts will require a level 1 or 3 certification. In this blog, we’re going to go over the five levels, and what is needed of organizations in order to obtain compliance and keep their contracts with the DoD.
Five Levels of CMMC Compliance Overview
All CMMC certification levels above level 1 consist of two measurements: Processes and Practices. Processes consist of policies and plans for each of the 17 domains covered by the CMMC. Practices are the actual implementation of controls such as access control and configuration management. Click here to view an image depicting the five levels of CMMC Compliance.
Level 1
Level 1 is the base level of CMMC certification and consists of practices that correspond to basic safeguarding requirements in Federal Acquisition Regulation (FAR) clause 52.204-21. This level consists of 17 basic cyber security practices such as implementing identity, authentication, and basic access controls.
Level 1 is all about protecting federal contract information (FCI) and will be required by anyone who wished to obtain DoD contracts. The majority of contracts will require this level of certification.
Level 2
Level 2 is more about creating a base level of cybersecurity for organizations who handle controlled unclassified information (CUI). This level of certification will require:
- Written policies for each of the 17 domains covered by CMMC
- Documented practices for implementing the policies for each domain
- A more extensive set of security practices
Level 3
The focus of level 3 is protecting CUI, expand upon the base security practices established in levels 1 & 2, and increase the overall security of the organization. This level will require organizations to establish, maintain, and resource a plan that demonstrates the management of activities for the implementation of CMMC. If your organization handles both FCI and CUI you will have to meet level 3 or higher, which is why level 3 is expected to be the second most, if not the most frequently mandated maturity requirement of all CMMC certification levels.
Level 4
With level 4, the main focus shifts to enhancing the organizations effectiveness of protecting CUI from Advanced Persistent Threats (APTs). While level 4 does not require as many new practices to implement as level 2 and 3, the practices listed are much more complex to both implement and maintain.
Level 4 will require organizations to review and measure practices for effectiveness and implement a subset of enhanced security practices from DRAFT NIST SP 800-171B and other security best practiced for a total of 26 additional practices on top of those required for level 3.
Level 5
Level 5 requires organizations to standardize and optimize process implementation across the organization. This level again focuses on protecting CUI from APTs and implements more advanced security practiced for the organization. These additional practices will increase the depth and sophistication of cybersecurity abilities of the organization, and consists of 15 additional practiced above level 4.
Meeting Your Compliance Level with Kyber Security
Here at Kyber Security, we understand that for most organizations, becoming CMMC compliant is much more of a journey than a destination. We can work with you to guide you on this journey and help ensure that you can continue your contracts with the DoD. Contact Kyber Security today.