Getting started with the world of CMMC can be a little bit confusing! We’re going to start breaking it down for you so that you don’t have to be searching all over the internet for information! 

What Does CMMC Stand For?

CMMC stands for Cybersecurity Maturity Model Certification. This standard was put in place to replace and collectively unify the different standards that have been required by various government agencies such as the Department of Defense (DoD). 

What is CMMC-AB? 

The CMMC-Accreditation Body (CMMC-AB) is an independent board of directors that are part of a non-profit organization governing the certification of assessors and trainers of the CMMC. The CMMC Industry has working groups with over 100 individuals that ensure the CMMC standards are fair, being consistently applied, manageable for businesses to achieve, and create unity for all governmental departments seeking to work with contracting vendors. The CMMC Model itself was created, and is managed by the DoD. 

What Are the Levels of CMMC?

There are 5 levels within the CMMC. Each level of certification increases the number of requirements for security and processes necessary to ensure information is being handled correctly. The nice thing about the CMMC levels is that each level builds upon itself. It does not scrap all of the effort you have completed when you want to increase your certification level!

For example: To get from Level 1 to Level 2, all requirements of the prior level need to be met. This continues all the way up to the highest level.   

A CMMC Certification will be valid for 3 years, unless major changes have been made. 

The CMMC Certification levels are built from different protocols required previously through the certification practices written by the NIST (National Institute of Standards and Technology). Each level of CMMC adds additional practices (or requirements) that must be implemented. In this graphical representation, you can see that each level of requirements is built out of the different previous certification processes, with the final level built with additional CMMC contributed methods to ensure the highest standards of cybersecurity are being created. Because technology advances quickly, the CMMC’s contributions and reviews of information will be highly valuable to businesses in ensuring they can keep CUI (Controlled Unclassified Information) secure.

 

How Do I Get CMMC Certified?

It’s important to note that, though the CMMC certification requirements have not officially rolled out to be certified (as of this writing in early 2021), much of the requirements necessary for each level have been made available for some time through other certification processes. So there is no reason to avoid getting started in securing your business! 

You should start by understanding which level of certification your business will need, and reviewing the basis from which each required practice comes from. As can be seen in the image on Navigating the CMMC Certification Levels & Practices, Level 1 relies heavily on 48 CFR 52.204-21 as the basis for it’s requirements. Sound confusing? It’s okay! We’ll give you a good overview in this article, and if you need more help, you can check out other articles we’ve written or send us an email! 

All descriptions are purely for information purposes within this blog, and we recommend your certification for CMMC be audited by a CMMC Registered Practitioner to ensure everything is in order for the level you are seeking to gain certification.

How to Know Which CMMC Level You Need

Choosing the level that your organization needs will depend on the contract stipulations that are required for the government agency or larger organization you are choosing to contract with. If you are planning to work as a subcontractor for a larger organization that is working with the government, typically, you will need to be CMMC Level 1 certified. However, your contracting organization will tell you the specifics of what is required for each project. Because these rules require a lot of ongoing monitoring and many subcontractors are not ready for compliance, some contractors provide a sub with a laptop and softwares that are compliant with the requirements if it is necessary to access any CUI and undergo some cybersecurity training procedures.

As a contractor, we recommend your organization silo all CUI data to specific departments that require access in order to increase your certification speed. Unless your entire business focuses on supporting the DoD or other Government agency, it’s not always necessary for all employees to have access to information. This can be far more cost effective and less time intensive to roll out. 

Who Issues The CMMC Certification?

All CMMC certifications will be provided by the CMMC certification body, but every organization must undergo an independent third party audit by a trained CMMC-AB professional certifier. These audits will start being conducted in 2021, and all DoD supply chain members must obtain certification. If you are looking to work with a trained CMMC-AB professional certifier, we are one! 

What Are the CMMC Levels and How Many Controls Are There?

There are 5 levels within the CMMC. Each builds on itself and can be assessed based on the size of the contracting organization’s domains, and CUI access. The controls required for the CMMC vary by level of certification. 

• CMMC Level 1 – This is required for DOD supply chain members that have contracts with the DOD, DFAR contracts. These companies will never have any interactions with CUI data. There are 17 (controls) now called practices at this level
• CMMC Level 2 – This is a transition level indicating that a company is on the road to handling CUI data, but it has not completed the requirements fully to do so or doesn’t have the proven history track record achieved yet. There are 72 practices at this level
• CMMC Level 3 – This level is the minimum requirement to have CUI data in your company.  There can not be any outstanding POA&M items. All process and practice items in the 130 must be complete and the company must have a proven history of maintaining the CMMC requirements for a number of months/years in order to receive Level 3 status.
• CMMC Level 4 – This level has 17 domains in which you must show compliance with 156 practices and be able to demonstrate full compliance with all controls. Level 4 is focused on defense against APT’s (Advanced Persistent Threats), and has more reviews and measures of security to insure effectiveness. 
• CMMC Level 5 – This level retains the 17 domains of level 4, but requires an organization to show compliance with 171 practices and be able to demonstrate full compliance with all controls. This level is focused on strengthening defense against APT’s, and being an organization that is continually looking for new ways to optimize security in the organization. 

Both levels 4 and 5 have not had very much scrutiny and review yet by the CMMC as of this writing in mid-2021. Thus far, we have not become aware of any company seeking out certification for levels 4 and 5 as the CMMC continues to develop details regarding their requirements. 

Will CMMC Replace DFARS?

The CMMC is actually built on DFARS. The problem with DFARS is that it was requiring organizations to self-report regarding their cybersecurity model processes and procedures. This, however, led to a few “documented processes” not being implemented and created many cybersecurity concerns. Many of the cybersecurity certifications also allowed an organization to have “gaps” in their organization in order to get started faster if these gaps were identified, which would basically be considered a future to do list for the organization to address later on. 

Where Can I Get Started With The CMMC?

The CMMC adds a 3rd party auditing layer to support cyber security claims to ensure that there is actual compliance happening within the organization, and to ensure there are ongoing processes in place to scan for potential threats. The new compliance process also means that no more gaps are allowed. You must be fully compliant in order to receive approval in your 3rd party audit. The good thing is that CMMC-AB trained 3rd party registered practioners like us, work with your organization to identify which areas still need to be addressed and consult you on how you can become compliant. Contact us today to get started!