Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity compliance program created by the Department of Defense (DoD). The purpose of this program is to standardize the cybersecurity practices used by businesses across the Defense Industrial Base (DIB).
CMMC is meant to reduce vulnerabilities in the chain of possession of information not for public release. As the saying goes, a chain is only as strong as its weakest link. By complying with CMMC, all the links in the chain will have a baseline strength depending on the classification level of material they handle.
Cybersecurity Maturity Model Certification
How exactly does CMMC work? It’s a tiered model in which businesses that handle information in the highest classification level are required to comply with the highest level of certification. Each level also includes all the requirements of the levels below it. New levels don’t have different requirements; they have additional requirements.
Originally, there were 5 levels of CMMC, detailed below.
Level 1: Basic Cyber Hygiene
This level is for businesses that only deal with Federal Contract Information (FCI). It includes 17 practices and a third-party assessment.
Level 2: Intermediate Cyber Hygiene
A transitional level that includes 72 practices for businesses to follow. It also features 2 maturity processes.
Level 3: Good Cyber Hygiene
Necessary for businesses that handle Controlled Unclassified Information (CUI). This level includes 130 practices, 3 maturity processes, and an additional third-party assessment.
Level 4: Proactive Cyber Hygiene
Another transitional level that includes 156 practices and 4 maturity processes.
Level 5: Advanced Cyber Hygiene
The highest level of CMMC compliance. Level 5 includes 171 practices, 5 maturity processes, and an additional third-party assessment. This level is for businesses that handle CUI and critical programs.
The new version of CMMC is here, CMMC 2.0. Under CMMC 2.0, practices and processes have been replaced by requirements. There are also only 3 tiers, down from 5, to streamline the model and make it easier for businesses to follow. The mandatory cybersecurity assessments have also been updated for the new model.
The first level comes with 15 requirements and an annual self-assessment. Most businesses should comply with this level of cybersecurity regardless of whether or not they work within the DIB.
This level includes 110 requirements that align with NIST SP 800-171. It comes with a triennial third-party assessment and an annual affirmation of select programs.
The highest level of compliance includes 134 requirements that align with NIST SP 800-171 & 800-172. A triennial government-led assessment is added, as well. And the annual affirmation of select programs remains in place.
Who Needs to be CMMC Compliant?
CMMC compliance is for businesses that are part of the DIB (those that work with DoD information). The more secure the handled information needs to be, the higher the tier of compliance that is required.
Hundreds of thousands of businesses of various sizes are part of the DIB. There are primary contractors who work directly with the DoD. And there are subcontractors who provide secondary work, such as transportation. Any of these businesses that handle DoD information will need to be compliant.
In the future, all DoD contracts may require specific tiers of CMMC compliance – no compliance could result in the loss of the contract.
CMMC Third-Party Assessor Organizations
Certified Third-Party Assessor Organizations (C3PAOs) perform the third-party CMMC assessments for compliance. C3PAOs are accredited and authorized by the CMMC Accreditation Body and must be used for these assessments (required for CMMC Level 2+) in order for them to count.
A business seeking CMMC compliance will have to pay for an assessment by a C3PAO – the government does not cover this cost. The price of an assessment depends on multiple factors. One major factor is the level of compliance required by the business. The higher level of compliance, the more thorough the assessment must be. Business size may also play a role, especially for larger businesses.
Achieve Compliance with ITSG
Businesses that handle Department of Defense information must acquire Cybersecurity Maturity Model Certification compliance. The level of compliance depends on the information the business handles, with CMMC 2.0 having 3 levels.
This requirement applies to both primary contractors and subcontractors within the Defense Industrial Base. And Certified Third-Party Assessor Organizations must be used by businesses seeking Level 2 compliance and above for their third-party assessments.
If your business needs to be CMMC compliant, ITSG can help. We’ve been helping businesses secure their data for over 30 years. Developing business-wide security procedures, training your team on security best practices, and streamlining your security reporting process are just some of the ways can help your business be CMMC compliant.
Contact us today to learn more about what working with ITSG as your IT support specialists can do for your business.