The number of cyber-attacks continues to skyrocket – government agencies, private businesses, and not-for-profits are all in the crosshairs of cybercriminals and nation-state threat actors. The risk to government agencies is incredibly high since the nature and sensitivity of the data they manage go far beyond most data held by private enterprise. To bolster the DoD’s already extensive security framework, the Office of the Undersecretary of Defense for Acquisition and Sustainment recently introduced the Cybersecurity Maturity Model Certification (CMMC), designed to protect unclassified data shared across the defense supply chain.
5 Levels of CMMC
There are different levels of cybersecurity protections required by CMMC based on the amount and type of unclassified information transmitted, received, and stored on the contractor’s network. And that means the types and level of protection that must be implemented vary from contractor to contractor. Here’s a high-level overview of the 5 levels of CMMC:
Level 1 – Basic Cyber Hygiene
At this level, contractors are expected to meet basic requirements to protect Federal Contract Information (FCI). This includes any information obtained that is not meant for public release, provided by the government as part of a contract to develop or deliver a product/service. Examples include using anti-virus software and robust password protection policies. There are 17 practices in level 1.
Level 2 – Intermediate Cyber Hygiene
Level 2 is a subset of the security requirements specified in NIST SP 800-171 and includes practices from other standards as well. Contractors are required to document practices to guide the implementation of CMMC practices. The documentation of practices allows for the repetition of essential tasks. There are 72 practices in level 2.
Level 3 – Good Cyber Hygiene
CMMC level 3 focuses on the protection of controlled unclassified information (CUI) and includes protections outlined NIST SP 800-171 plus an additional 20 practices. Contractors are required to establish, maintain, and update a cybersecurity plan to achieve these objectives. There are 130 practices in level 3.
Level 4 – Proactive
Level 4 requires contractors to adopt practices that facilitate and enhance detection and tracking capabilities in the event of an attack. It is required to evaluate practices to determine the effectiveness and make changes when necessary. There are 156 practices in level 4.
Level 5 – Optimizing
At level 5, contractors are required to standardize and optimize implementation across the organization. The focus is on developing a robust and highly effective cybersecurity program. There are 171 practices in level 5.
CMMC Readiness Assessment
For many vendors who work with the DoD or other large government agencies, their contracts are the lifeblood of their business. Are you ready for CMMC, and at the level you needed for obtaining or retaining a DoD contract? A CMMC Readiness Assessment can help you determine where you stand – and what you need to do to meet your required level of CMMC hygiene.
Barnes Dennig can help your organization Assess, Remediate, Prepare and Achieve CMMC compliance.
Over the next five years, DoD contractors will be required to comply with CMMC requirements or risk becoming ineligible for new or renewing DoD contracts. So, it’s critical to consult with a qualified cybersecurity consultant who can evaluate your situation and determine the best path forward. Contact us to get started on your CMMC readiness assessment today.