IT News

CMMC Certification Levels and Requirements


CMMC Certification Levels and Requirements

The Controlled Unclassified Information (CUI) Certification requires companies that handle controlled unclassified information (CUI) to meet stringent cybersecurity requirements. The Department of Defense has instituted this new standard that mandates minimum certification levels for federal contracts.

Though CMMC may appear similar to NIST SP 800-171, its requirements will be more stringent – not simply using POAMs will suffice for passing.

Level 1

CMMC Level 1 covers 9 capabilities and 17 practices across 6 domains, such as Physical Protection (PE). Contractors implementing PE must restrict access to data by employing security controls like visitor sign-in, card reader identification and facility access management systems to restrict it.

System and Communication Protection (SCP) addresses the establishment of boundary level defenses on an organizational communication level to stop bad actors from intercepting or recording internal communications – this includes email and system monitoring.

Cuick Trac(tm), our cuick Trak platform provides companies with tools that allow them to meet SI domain’s requirements for securely destroying unclassified information (CUI), Foreign Control Information, and International Traffic in Arms Regulations data when it no longer necessary – this serves as an essential safeguard for contractors handling CUI.

Level 2

CMMC Level 2 certification is the minimum necessary certification requirement for contractors working with both protected (FCI) and controlled unclassified information (CUI), per NIST SP 800-171. This level of the CMMC standard mirrors NIST SP 800-171 requirements.

Level 2 adds 55 practices to those found at Level 1, making a total of 72 security control requirements. Compliance with this process demonstrates that policies have been documented and executed as per policy requirements as well as an organization having developed an advanced capability for protecting CUI.

Reaching CMMC Level 2 can be an extensive undertaking. Documenting and implementing all the required activities takes time, as does transitioning from this level to Level 3. However, contractors that reach this stage of CMMC could then progress toward being assessed at Level 3, something the DoD had originally anticipated would happen within five years.

Level 3

At this level, organizations must have established and documented policies for every domain of the CMMC framework, along with tools necessary for implementation and practice maintenance over time. Furthermore, an assessment by C3PAO confirms this outcome.

At its highest level, Compliance Management Management Controls compliance requires more than simply documentation – it also involves deploying more advanced technologies like SIEM and FIPS 140-2 compliant tools.

As a DoD contractor, it is crucial that your data is protected from cyber-attacks. As such, it is recommended that preparation for CMMC certification be started well in advance of receiving any requests for proposals from DoD.

Level 4

Level 4 builds upon the practices implemented at levels 1 and 2, protecting information against cyberattacks. It also incorporates practices related to situational awareness. This involves being able to recognize and analyze threat intelligence as well as data related to attack tactics, techniques, and procedures used against the organization.

At this level, companies must implement two-factor authentication and implement data encryption practices. Furthermore, this level incorporates more stringent practices for asset management to protect all systems containing CUI.

Though only a small portion of DIB must comply with level 5 CMMC certification, all contractors who hope to secure DoD contracts in the future should work toward it in order to protect information deemed critical by the federal government.

Level 5

At the highest level of certification for CMMC, advanced cybersecurity capabilities must be available to repel even the most sophisticated APT threats. Furthermore, standard practices must be documented, managed, and optimized in order to maintain consistency across a certification cycle.

Requirements are complex and standards can differ by industry; some standards are easier than others to meet; however, failure to fulfill DoD contract obligations could mean losing them altogether.

Defense Industrial Base suppliers manage sensitive information that includes controlled unclassified information (CUI) and federal contract information (FCI), often subject to hundreds of thousands of threat attempts daily. To safeguard against such attacks and mitigate their risk to DoD, contractors are required to have in place an adequate Contractor Management Monitoring Committee (CMMC), but achieving it may take both time and money; especially for smaller companies.