The Cyber Security Maturity Model Certification (CMMC) is a very new concept to many manufacturing companies and businesses within the DoD supply chain. There is still a lot of information that is not defined about CMMC and each of the levels. However, we do know that many organizations will be between CMMC levels 1-3 or must comply with these levels, since each level is cumulative. There is also the most information available about CMMC levels 1-3 and the requirements needed to fulfill those three specific levels. There are multiple requirements needed to pass a CMMC assessment, which includes factors such as cyber hygiene, practice, and the ability to prove maturity on any cybersecurity initiatives implemented. These requirements can look slightly different based on which CMMC level you need to meet, but they involve the same basic principles. Below is a description of the CMMC level requirements for levels 1-3 as well as how you can prepare to meet those requirements:
CMMC Levels 1-3:
Source of information: https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf
CMMC Level Requirements 1-3 explained:
For your organization to be able to pass a CMMC assessment, there are different cybersecurity initiatives, processes, and documents you must complete based on which level you are required to meet.
Level 1 –
This level is centered around basic cyber hygiene. This is necessary to safeguard Federal contract information (FCI). This is the most basic level, and it does not involve any processes, documentation or having to prove maturity. Although there are no processes for Level 1, there are 17 controls directly mapped to Federal Acquisition Regulation (FAR) 52.204-21 that must be met to achieve CMMC Level 1 compliance. These practices are primarily comprised of physical protection requirements and access controls. There are multiple cyber security initiatives you can begin to prepare you for CMMC level 1.
Level 2 –
This is known as a transitional stage when moving from CMMC level 1 to level 3. Your organization not only has to have specific practices in place, but you also must be documenting these processes and be working on putting a long-term system in place. There are two documented processes required with proof of these in place. They involve documenting how your organization conducts business when it comes to IT hygiene. There are templates available to help you with proper documentation.
This level is focused around managing all the processes you implemented in Level 2. Your organization must have all the documented systems and procedures working and in place, not only documenting the process, but also managing it and have the ability to show proof that it is implemented. Many organizations have a committee at this stage where all members know their jobs and role within the process. At this level it is important to be able to prove maturity and show that these processes are apart of your organization and you have been actively practicing them. You must create a system security plan for NIST SP 800-171 rl and create one more documentation, along with the two documentations from level 2.
How to meet each requirement:
As explained above there are different requirements for CMMC levels 1-3 however, they are similar. For level one there are 17 controls you must meet. Since this involves just basic cyber hygiene, there are simple cybersecurity initiatives to implement in order to pass level 1’s CMMC assessment.
For a more detailed look at 5 cybersecurity initiatives, you can take to meet level 1 CMMC Certification, please check out our recent blog here:
Levels 2 and 3 are a bit more complex. The main idea for both levels is documentation and the ability to prove maturity. What this means is that not only do you need to implement the specific cybersecurity initiatives from Level 1, but you also must have proper documentation and a long-term plan of how you will begin to execute these processes. Being able to prove maturity means that you must prove during your CMMC assessment that you have performed these procedures and can show proof of how they effected your organization. You must be able to prove that you have started and been using these processes.
If you are interested in learning which CMMC level requirements you must meet and how well your organization is prepared to meet those requirements, email us for a CMMC readiness assessment.