Understanding the CMMC Framework & Levels
The days of self-assessment of cybersecurity by defense contractors are over. DoD contractors and sub-contractors in the supply chain must now follow Cybersecurity Maturity Model Certification where independent assessors verify they comply with a new CMMC framework. Here’s how it all fits together.
While you may be unfamiliar with the maturity model concept, it’s not as confusing as it might seem. In simple terms, it’s a series of measures and principles arranged in different levels. “Maturity” refers to the way you move up through the levels, adopting new procedures or enhancing the way you carry them out. Think of the levels more like a ladder than a score, with you stepping up from one level to another in sequence.
CMMC involves independent assessment of five levels of compliance. Level 1 is the most basic and is largely an objective checklist, but you’ll need it before applying for any DoD contract that involves Federal Contract Information. Levels 2 through 5 involve a more in-depth assessment. Contracts which involve Controlled Unclassified Information will have a specific minimum CMMC level requirement for bidders, depending on the level of security required.
The five levels increase not just in the level of cybersecurity but also the approach you take to it. Levels 1 through 3 effectively involve “basic”, “intermediate” and “good” cybersecurity respectively. Level 4 involves taking proactive measures while level 5 is when you’ve optimized your security procedures.
The requirements for specific levels cover a host of measures (officially known as “practices”), organized into 17 areas known as “domains”:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- System and Communications Protection
- System and Information Integrity
Each domain involves specific practices in different levels, though not every domain has practices in all five levels. To make things slightly more complicated, the 171 total practices are also grouped into 43 “capabilities.”
To achieve certification at a particular level you’ll need to prove to the assessor that you comply with all the practices at that level. You must achieve certification at one level before you can get assessed for the next level up, even if you know or believe you already do everything necessary for the higher level.
The requirements also apply to all subcontractors and suppliers on a particular contract. Prime contractors are responsible for confirming every player in the supply chain has the appropriate certification level for the information they will handle.
The good news is that the DoD does publish details of the entire framework and what assessors will be looking for. This means it’s a smart idea to run through all the necessary practices for a particular level and check you are—in principle at least—fully compliant before you apply for certification.
If you’re wondering how this fits in with the old National Institute of Standards and Technology requirements for defense contractors (formally known as NIST 800-171 r2), some of those requirements are covered by CMMC level 2 and the rest by level 3.
Now you know the basics, you may still have questions about how to make sure you can achieve the relevant levels and boost your chances of winning contracts. We’ll be happy to advise on security measures you can take, both to meet CCMC and improve your overall cybersecurity, so please do get in touch.