What is CMMC?

CMMC is an acronym for the Cybersecurity Maturity Model Certification. In recent years the Department of Defense (DOD) has become concerned with vendor and supply chain information security, and specifically with the security of controlled unclassified information (CUI) in the defense industrial base. Prior to CMMC, DOD contractors were simply required to perform a self-assessment and certify that they were in compliance with the cybersecurity framework NIST SP 800-171. The advent of CMMC adds teeth to this requirement as contractors will now be audited for CMMC compliance using a tiered approach based on how much sensitive information the contractor handles and the DOD RFIs and RFPs the contractor wishes to bid on. Accreditation is overseen by the CMMC Accreditation Body (CMMC-AB) and audits are performed by third-party assessment organizations (C3PAOs).

Why is it important to comply with CMMC?

Even if you don’t currently work with the government, your company may have to comply with CMMC if you are interested in obtaining contracts with government entities in the future. The requirements can depend greatly based on what type of contract you seek to pursue. The good news is that out of the 5 total CMMC Levels, many contracts stipulate just Level 1 and Level 2 compliance. Meeting the requirements of Levels 1 and 2 is far more obtainable than you may think. In the next section, we further discuss CMMC levels and provide details about what you must do to meet the requirements under each level.

It’s also worth noting that depending on your field, it’s often the case that the contracts mandating that you reach a higher level of CMMC compliance are the contracts that entail the greatest benefits for your organization. Furthermore, even if you don’t plan to ever work with DoD and government contracts, you may still want to reach at least a basic level of CMMC compliance. The fact is that if you aren’t compliant with CMMC, your organization is at a greater risk of experiencing a cyberattack. A single cybersecurity incident can derail your organization in a serious way. With cybersecurity, an ounce of prevention is always worth a pound of cure. The basic requirements of CMMC compliance are based on standards bet practices for preventative and proactive cybersecurity policies.

What are CMMC levels?

CMMC is broken down into 5 levels based on the amount of CUI (Controlled Unclassified Information) that the contractor handles. Each level requires meeting certain cybersecurity requirements and effectively represents an information security maturity level. CMMC requirements are taken from various cybersecurity frameworks but are primarily derived from NIST 800-171. Each level represents compliance with a certain number of requirements under NIST 800-171 ranging from level one CMMC compliance (meeting 17 controls) to level 5 CMMC compliance (meeting all 171 security controls). Once a contractor is confident that they have met the requisite level, they can pay an outside auditor (C3PAO) to conduct a CMMC audit and issue a certification. Beginning in 2021, many U.S. Department of Defense contracts will specify the level of CMMC compliance required for a prime contractor to win the contract. Subcontractors working under the prime contractor will also be required to meet the prime’s level of CMMC compliance. So, what are the levels of CMMC requirements, and how many controls are needed to meet each to achieve CMMC Certification?

CMMC Level 1 (Basic Cyber Hygiene)

CMMC Level 1 represents a very basic cybersecurity program. Meeting level 1 requires the implementation of 17 controls such as using complex passwords and ensuring the physical security of IT equipment. In many cases organizations that need to comply with CMMC level 1 will be dealing with federal contract information (FCI) but nothing more sensitive than that.

CMMC Level 2 (Intermediate Cyber Hygiene)

CMMC level 2 requirements are significantly more stringent than CMMC level 1 and include several more advanced cybersecurity controls. CMMC level 2 requires the implementation of CMMC level 1 and meeting a total of 72 cybersecurity practices.

CMMC Level 3 (Good Cyber Hygiene)

CMMC level 3 is likely where many defense contractors and subcontractors will land. Level 3 requires adherence to all practices required under levels 1-2 with additional controls from NIST SP 800-171 for a total of 130 controls.

CMMC Level 4 (Proactive)

CMMC level 4 requires meeting 156 information security requirements. It represents an advanced cybersecurity program that can deal with most threats. Meeting level 4 CMMC compliance requires the imposition of cybersecurity standards throughout the organization in addition to meeting all requirements for levels 1-3.

CMMC Level 5 (Advanced/Proactive)

CMMC level 5 represents an advanced/progressive information security program that is continuously optimized and can handle APTs (Advanced-Persistent-Threats). CMMC Level 5 requires implementing 171 controls.

What do I need to do to comply with CMMC?

The first step to identify what you need to do is to select which level you plan to comply with. Many DOD RFPs will likely require a minimum of level 3 CMMC compliance. In addition, requirements under CMMC level 3 should be instituted already as part of your organization’s cybersecurity program. We typically recommend that defense industrial base (DIB) contractors begin by aiming for level 3 compliance and move to 4 or 5 if they believe they will be bidding or subcontracting for contracts that require access to highly sensitive data.

After you have determined which level you plan to comply with, the next step is typically to ensure you are compliant with NIST 800-171. Given that CMMC is based on a range of principles from government guidelines such as NIST, you can meet a number of CMMC controls by ensuring compliance with NIST 800-171. The next step is to look into third-party assessors (3PAOs). You cannot certify your own organization. Third-party assessors play the role of providing certification of your CMMC compliance and maturity. Next, you’ll want to select the level of CMMC compliance required for your organization. As discussed previously, there are 5 levels that each build on the last.

CMMC Certification

To get certified at a particular level of CMMC, you should begin by identifying what level you aim to comply with. Work to ensure that you meet the full set of requirements for your desired level of compliance. In many cases, it can be helpful to bring in a third-party cybersecurity firm that can help you implement security controls that are effective, targeted, and streamline rather than harm your business processes. Once you are confident that you meet the requisite controls, you will need to bring in a Certified Third Party Auditor (C3PAO) who will audit your information security program against your desired certification level. If you pass the audit, you will be accredited by the CMMC accreditation body in accordance with the recommendation of your third-party assessment organization.

Tailored CMMC Compliance Services

Touchstone Security provides world-class tailored CMMC Compliance. We begin by performing a gap assessment that analyzes what certification level your organization is aiming for, and where you are right now. We then present a tailored plan that will streamline your information security program and provide effective protection against threats. We can help you pass your CMMC Assessment, work with assessors, and set your company up to bid for DOD contracts.

CMMC Compliance from Industry-Leading Experts

Touchstone Security has experience working with a range of organizations ranging from NJ Transit, Columbia University, and the U.S. Army. We specialize in helping companies meet complex compliance requirements such as CMMC, GLBA, NYDFS Cybersecurity Regulation, HIPAA, and others while keeping business processes streamlined.

We bring decades of cybersecurity compliance experience to the table for every contract we take on. We’ve helped numerous organizations understand and meet their compliance requirements. The experts at Touchstone Security are on call for you. When you need us, we’re there to help guide you through complex requirements and implement changes to meet them. We take the complexity out of information technology environments and streamline the process to meet compliance requirements.

Our experienced information systems professionals can help you get accredited for CMMC, build a proactive information security program, and safeguard sensitive information. Touchstone Security is ready to help you deal with the cyber threats of the 21st century while building a cost-effective security plan and meeting complex compliance requirements. If you are unsure about legal requirements surrounding CMMC, we recommend consulting with a qualified attorney.