What is CMMC?
CMMC is an acronym for the Cybersecurity Maturity Model Certification. In recent years the Department of Defense (DOD) has become concerned with vendor and supply chain information security, and specifically with the security of controlled unclassified information (CUI) in the defense industrial base. Prior to CMMC, DOD contractors were simply required to perform a self-assessment and certify that they were in compliance with the cybersecurity framework NIST SP 800-171. The advent of CMMC adds teeth to this requirement as contractors will now be audited for CMMC compliance using a tiered approach based on how much sensitive information the contractor handles and the DOD RFIs and RFPs the contractor wishes to bid on. Accreditation is overseen by the CMMC Accreditation Body (CMMC-AB) and audits are performed by third-party assessment organizations (C3PAOs).
What are CMMC levels?
CMMC is broken down into 5 levels based on the amount of CUI that the contractor handles. Each level requires meeting certain cybersecurity requirements and effectively represents an information security maturity level. CMMC requirements are taken from various cybersecurity frameworks but are primarily derived from NIST 800-171. Each level represents compliance with a certain number of requirements under NIST 800-171 ranging from level one CMMC compliance (meeting 17 controls) to level 5 CMMC compliance (meeting all 171 security controls). Once a contractor is confident that they have met the requisite level, they can pay an outside auditor (C3PAO) to conduct a CMMC audit and issue a certification. Beginning in 2021, many U.S. Department of Defense contracts will specify the level of CMMC compliance required for a prime contractor to win the contract. Subcontractors working under the prime contractor will also be required to meet the prime’s level of CMMC compliance. So, what are the levels of CMMC requirements, and how many controls are needed to meet each to achieve CMMC Certification?
CMMC Level 1 (Basic Cyber Hygiene)
CMMC Level 1 represents a very basic cybersecurity program. Meeting level 1 requires the implementation of 17 controls such as using complex passwords and ensuring the physical security of IT equipment. In many cases organizations that need to comply with CMMC level 1 will be dealing with federal contract information (FCI) but nothing more sensitive than that.
CMMC Level 2 (Intermediate Cyber Hygiene)
CMMC level 2 requirements are significantly more stringent than CMMC level 1 and include several more advanced cybersecurity controls. CMMC level 2 requires the implementation of CMMC level 1 and meeting a total of 72 cybersecurity practices.
CMMC Level 3 (Good Cyber Hygiene)
CMMC level 3 is likely where many defense contractors and subcontractors will land. Level 3 requires adherence to all practices required under levels 1-2 with additional controls from NIST SP 800-171 for a total of 130 controls.
CMMC Level 4 (Proactive)
CMMC level 4 requires meeting 156 information security requirements. It represents an advanced cybersecurity program that can deal with most threats. Meeting level 4 CMMC compliance requires the imposition of cybersecurity standards throughout the organization in addition to meeting all requirements for levels 1-3.
CMMC Level 5 (Advanced/Proactive)
CMMC level 5 represents an advanced/progressive information security program that is continuously optimized and can handle APTs (Advanced-Persistent-Threats). CMMC Level 5 requires implementing 171 controls.
What do I need to do to comply with CMMC?
The first step to identify what you need to do is to select which level you plan to comply with. Many DOD RFPs will likely require a minimum of level 3 CMMC compliance. In addition, requirements under CMMC level 3 should be instituted already as part of your organization’s cybersecurity program. We typically recommend that defense industrial base (DIB) contractors begin by aiming for level 3 compliance and move to 4 or 5 if they believe they will be bidding or subcontracting for contracts that require access to highly sensitive data.
To get certified at a particular level of CMMC, you should begin by identifying what level you aim to comply with. Work to ensure that you meet the full set of requirements for your desired level of compliance. In many cases, it can be helpful to bring in a third-party cybersecurity firm that can help you implement security controls that are effective, targeted, and streamline rather than harm your business processes. Once you are confident that you meet the requisite controls, you will need to bring in a Certified Third Party Auditor (C3PAO) who will audit your information security program against your desired certification level. If you pass the audit, you will be accredited by the CMMC accreditation body in accordance with the recommendation of your third-party assessment organization.
Tailored CMMC Compliance Services
Touchstone Security provides world-class tailored CMMC Compliance. We begin by performing a gap assessment that analyzes what certification level your organization is aiming for, and where you are right now. We then present a tailored plan that will streamline your information security program and provide effective protection against threats. We can help you pass your CMMC Assessment, work with assessors, and set your company up to bid for DOD contracts.
CMMC Compliance from Industry-Leading Experts
Touchstone Security has experience working with a range of organizations ranging from NJ Transit, Columbia University, and the U.S. Army. We specialize in helping companies meet complex compliance requirements such as CMMC, GLBA, NYDFS Cybersecurity Regulation, HIPAA, and others while keeping business processes streamlined. Our experienced information systems professionals can help you get accredited for CMMC, build a proactive information security program, and safeguard sensitive information. Touchstone Security is ready to help you deal with the cyber threats of the 21st century while building a cost-effective security plan and meeting complex compliance requirements. If you are unsure about legal requirements surrounding CMMC, we recommend consulting with a qualified attorney.