If you work with the US Department of Defense — or you want to start doing so — CMMC compliance is going to become a critical component of doing so.
But there’s been a lot of confusion about CMMC, and some of it stems from the military’s rollout of the program, which has been a little complicated.
In this post, we’ll show you what CMMC compliance is, how it relates to DOD cybersecurity and acquiring DOD contracts, and all the details you need so you can determine your next steps surrounding CMMC compliance or certification.
What Is CMMC?
CMMC is an acronym for Cybersecurity Maturity Model Certification. It’s a certification system that aims to determine how adept an organization is at cybersecurity practices — in other words, how mature the organization is in terms of cybersecurity policies and practices.
The CMMC model was first released on January 31, 2020. It is a response to numerous breaches and compromises of DOD information that occurred not in DOD systems but in those of contractors with access to DOD information of varying levels of sensitivity.
Businesses that want to work on projects or systems that contain DOD information and data need to become CMMC compliant by achieving the appropriate level of CMMC certification.
CMMC is a tiered system requiring third-party audits and certification. More than 300,000 companies in the defense industrial base supply chain are expected to meet at least basic CMMC certification.
Is CMMC a Key Part of DOD Cybersecurity?
Yes. Most contractors working with the Department of Defense (DOD) will need to demonstrate CMMC certification and compliance if they work with network systems and infrastructure.
In an increasingly connected, data-driven, and technology-dependent, more and more contractors end up interacting with the DOD’s digital estate in one way or another. This means that, even in industries and spaces where CMMC compliance may not have mattered in the past, it does increasingly. We’re seeing a steady uptick in CMMC DOD concerns among clients in a wide range of industries that want to serve (or continue serving) the DOD.
How to Determine if You Need CMMC Certification
If your organization is operating with or interacting with information from the DOD, then you likely need CMMC certification.
Classifications within CMMC are set on a per-project basis. If your business interacts with non-classified information only, you likely need level 3 clearance or lower. If you interact with more sensitive information, your needs may be higher.
Most DOD projects will indicate a CMMC certification level within the RFP or other soliciting document.
Because certification levels vary per project, we recommend that all businesses that want to win business or contracts from the DOD pursue the highest level of CMMC certification. With that in place, you’ll be prepared for any and all DOD cybersecurity expectations and position yourself to be ready to bid on any project that suits your capabilities.
What Happens if a Business Doesn’t Achieve CMMC Certification
The answer is simple: businesses that don’t obtain the appropriate level of CMMC certification will flatly be ineligible to work on contracts or projects that require that level of certification. CMMC certification levels, when present in a Request for Information (RFI), constitute a “go/no-go” requirement.
Levels of CMMC Certification
CMMC 1.0 contains 5 levels or bands of certification, ranging from the lowest, level 1, to the highest or most secure, level 5.
The levels are cumulative, meaning that a level 2 certified organization will also fulfill all the requirements for level 1. A level 5 certification means an organization fulfills the requirements for all five levels.
Most companies that have already put in place basic security protocols will already be prepared for a level 1 certification, which covers a range of elements the DOD refers to as “basic cyber hygiene.” As you progress through the levels, though, you’re likely to encounter requirements that you wouldn’t otherwise put into place. By level 3, companies must have in place an institutionalized management plan that implements NIST 800-171 r2 security requirements, among others.
By level 4, companies must implement review processes that measure the effectiveness of their efforts, and they must be able to respond to advanced persistent threats. And by level 5, companies must be able to show a standardized, optimized, continuously improving set of processes that go beyond the requirements of level 4.
Last, companies may not self-certify their compliance as had been the practice in the past. To achieve CMMC certification, companies must enlist a third-party service to audit and verify compliance.
Given the technical specificity of each level, most businesses seeking CMMC DOD compliance rely on external partners, such as a managed security service provider, to prepare their systems for audit and eventual certification.
Globalquest is one such managed security service provider. If you’re needing to develop, demonstrate, or achieve CMMC compliance, we can create a roadmap and help you get there.
What About CMMC 1.0 vs. CMMC 2.0?
As of publishing, CMMC 1.0 is still in its five-year phase-in period, which started in November 2020. During this period, CMMC guidelines apply to certain contracts and not others. Although CMMC is still very new and not even fully implemented, significant revisions have already occurred.
The DOD is referring to these significant revisions as CMMC 2.0. The Acquisition & Sustainment Office of the Under Secretary of Defense explains that CMMC 2.0 came about due to significant feedback about the difficulty of achieving CMMC 1.0 certification, especially for small businesses.
Many businesses expressed concerns about the significant costs they would incur in achieving certification: even those doing basic work on non-classified data would now be expected to undergo time-consuming, expensive third-party certifications.
As a result, CMMC 2.0 is a streamlined approach that, in some ways, requires less of businesses than CMMC 1.0.
The most obvious change is that CMMC 2.0 reduces the levels from five to three and reduces the complexity of the requirements within each.
One of the most significant differences between CMMC 2.0 and 1.0 is that the later version (which is still in development) drops the third-party certification requirement for the lower levels (1 and some of 2), returning the certification landscape somewhat to the status quo. Contractors and third parties are still bound to follow the guidelines, but if they aren’t interested in the highest level of certification, they can once again self-certify that they meet the requirements.
This puts the CMMC protocol in an odd place, at least for the lower levels: the requirements are more complex than before CMMC but less so than CMMC 1.0. Additionally, the burden is on businesses to maintain compliance, but they don’t have to do very much to demonstrate compliance.
CMMC 2.0 Levels Explained
Under CMMC 2.0, the levels have been streamlined, reducing the five levels of CMMC 1.0 to three:
- Level 1: Foundational
- Level 2: Advanced
- Level 3: Expert
According to the DOD’s Acquisition and Sustainment Office, the simplest way to understand these levels mapped against the 1.0 levels is that the old levels 2 and 4 have gone away. The new level 3, Expert, maps roughly to the old level 5. The new level 2, Advanced, maps roughly to the old level 3. (And the level 1s match, more or less.)
In this process, CMMC is aligning its requirements to existing NIST standards and ditching most of the proprietary requirements that are unique to CMMC 1.0.
- Foundational / Level 1 includes 17 security practices that do not formally map to a specific set of NIST standards.
- Advanced / Level 2 in CMMC will be equivalent to NIST SP 800-171, which includes 110 security practices.
- Expert / Level 3 will map to a subset of NIST SP 800-172 that has yet to be defined.
CMMC 2.0 Certification Methods
As the CMMC 2.0 protocol is still in the process of development and formalization, the information below is subject to change. At the time of publishing, however, there are three certification methods included in CMMC 2.0 (as opposed to one in CMMC 1.0).
Level 1 certification applies to organizations that don’t handle controlled unclassified information (CUI) but do handle federal contract information (FCI). At this level, companies must submit a self-assessment with an affirmation from a senior official at the company. No third parties need to be involved.
Level 2 certification is a little bit mixed. Contractors that do not handle information deemed critical to national security may also self-assess as in level 1. Those who do handle such information must be third-party certified by a Certified Third-Party Assessment Organization.
Level 3 certification — as a reminder, this is the highest level — requires a government-led assessment and certification (or at least it will, once level 3 is completed and released).
This staggered approach greatly reduces the burden on small businesses seeking lower levels of certification. However, it may increase the burden on those seeking the highest level of certification since they now must deal directly with the government and not with a private third-party assessor.
Trust Globalquest for Your CMMC Compliance Needs
If your business needs to demonstrate CMMC compliance for the first time — or you want to be ready to do so before running into a contract that requires it— Globalquest can help. It’s incredibly important to work with the right provider for CMMC compliance. Many firms will say they can help — and gladly take your money. But do they have the necessary years of working with government contracts and contractors? Or are they simply chasing the latest compliance craze?
Globalquest is an experienced, mature managed security service provider that has been helping companies that work with the DOD for decades. We can guide you through this complex process—because we’ve done it before, and we’re doing it now for many of our clients.
Ready to take the next step? Reach out to receive a free CMMC compliance checklist, which covers many of the top priorities when preparing for a CMMC audit.