A Cybersecurity Maturity Model Certification (CMMC) is not something you can easily acquire within a short period. It takes considerable work to review, implement, enforce, and document hundreds of controls and policies. You’ll also have to train your employees in the new procedures that adhere to the CMMC guidelines. As such, it’s better to know now if it's something your business needs or will need to continue operations.
We talked with Sean Harris, a resident CMMC expert at Intelligent Technical Solutions (ITS). As a CMMC Registered Practitioner (RP), Harris has a thorough understanding of and experience in this cybersecurity regulation, and that’s what we will share with you.
In this article, we’ll talk about the CMMC framework, focusing on the businesses required to comply with this regulation. We’ll also:
- Give a brief overview of CMMC 2.0
- The different levels under it
By the end, you will find out whether your business needs CMMC and the level you need to be at if you do need it.
What is CMMC?
CMMC, or Cybersecurity Maturity Model Certification (CMMC), is a cybersecurity program created by the Department of Defense (DOD) for the Defense Industrial Base (DIB) for the vendors, contractors, and suppliers that assist the DOD.
It was established as a solution to the high volume of attacks geared toward government contractors. These attacks gave malicious actors access to crucial government information, such as controlled unclassified information (CUI) and federal contract information (FCI), without going through government defenses.
In 2021, the US administration reviewed and revised the then-11-year-old CMMC guidelines and introduced CMMC 2.0. Major changes were made, including:
- Reducing levels from five to three and
- Changing assessment processes for each level
Ultimately, the revisions were made to simplify the process and make it easier for businesses to maintain certification, while ensuring a more robust cybersecurity program.
What types of businesses need CMMC?
According to the DOD, 300,000 organizations will be affected by these cybersecurity standards, so the question now is: Which businesses need to comply with CMMC?
More importantly, does your business need to be CMMC compliant?
When asked which businesses need CMMC, Harris said, “Any organization that wants to do work with the Department of Defense or any vendor that's doing work for the Department of Defense is going to be subject to CMMC. So, at the very least, they’ll be subject to identifying and scoping if their data is subject to it.”
As mentioned, the CMMC program was established for the DIB supply chain, meaning all businesses who interact with the DOD and have access to FCI and CUI must comply. Included are contractors and subcontractors who provide the department with products or services.
Commercial businesses that produce off-the-shelf products or provide service to people without connections to the DOD are not subject to CMMC. However, if they want to work with the department in the future, it is better to comply now so they can push through with their plans.
So, regardless of the industry you're in or the size of your business, if you're even slightly in contact with the DOD or have access to their data, then you need CMMC.
What level of certification does your business need?
Knowing whether you need CMMC is just the first step of the process. Determining what level of certification you require for your operations is also important.
We mentioned that there are three levels in CMMC 2.0, and we’ll explain each of them now to help you determine which level you need.
Level 1 (Foundational Cybersecurity)
The first and foundational level of CMMC applies to companies that handle federal contract information or FCI. These are contract information provided by the government and relevant contractors. Under this level, businesses must follow the most basic cybersecurity practices based on 17 controls under the Basic Safeguarding of Covered Contractor Information.
You may achieve certification through self-assessment, which should be performed every year.
Level 2 (Advanced Cybersecurity)
The advanced level is a compressed version of levels two and three from the previous CMMC program. Compliance is required for businesses that handle controlled unclassified information or CUI. It mirrors the requirements of the National Institute of Standards and Technology SP 800-171 or NIST 800-171 and makes up 110 cybersecurity practices.
Self-assessment is not possible for this level. Instead, you will require a C3PAO or a CMMC Third Party Assessor Organization, an external body authorized to audit and verify CMMC compliance. These audits and verifications are required every three years.
Level 3 (Expert Cybersecurity)
Level 3 is focused on protecting CUI within the DOD’s highest priority programs and reducing the volume and risk of Advanced Persistent Threats (APTs). It combines controls and practices from NIST 800-171 and a subset from NIST 800-172.
As for the assessments and certification, a government agency will be in charge. And much like level two, it must occur every three years.
Need Help with CMMC Compliance?
We’ve laid out everything there is to know about CMMC, particularly CMMC 2.0. This new set of cybersecurity regulations is a requirement for businesses working with and hoping to work with the DOD. If you are a contractor or subcontractor that handles sensitive government data such as FCI and CUI, then you belong in this category.
ITS has decades of experience providing managed IT services and solutions such as compliance. We have kept up with the many industry regulations businesses need to comply with, and CMMC is no exception. If you need help achieving compliance, speak with our experts or download our CMMC 2.0 application guide.
If you need to know more about CMMC, check out these other pieces of content in our learning center:
- How Much Does CMMC Compliance Cost? (& Is It Worth It?)
- What CMMC 2.0 Level Do I Need? (+ A Step-by-step Guide for Choosing)