Federal contractors and subcontractors must achieve CMMC Level 2 compliance depending on the nature of information they manage, for instance organizations dealing with FCI/CUI must be compliant.

Locating qualified consultants can be challenging. That’s why Cyber AB has designed a system of registering, certifying and licensing professionals in order to make finding one simpler.

Level 1

Level 1 of CMMC represents the basic security requirements set forth by DoD contractors for safeguarding federal contract information (FCI) and controlled unclassified information (CUI). As this level can be achieved most easily and affordably for small companies, this should be your starting point.

At Level 1, CMMC requires that information is restricted physically, with data being shred or erased before disposal. Access control for programs and file shares are also essential, yet many OSCs struggle with restricting administrative privileges for non-IT employees so only authorized personnel have access to sensitive data.

DoD suppliers without CMMC Level 1 certification may find it challenging to compete for contracts within the DOD industrial base (DIB). Smart defense contractors recognize this challenge, taking steps early on to become certified so they can leverage it when bidding on RFPs is published.

Level 2

As previously discussed, CMMC Level 2 introduces 55 new practices which expand upon existing policies to offer more detailed steps for protecting CUI. This increased focus is intended to make it simpler for DIB organizations to implement security controls and meet CMMC requirements.

New practices take time and dedication to fully integrate into daily operations, which aids process institutionalization and supports future certification efforts for levels 3 or higher certification. But Level 2 provides an ideal opportunity to start building security practices that lead to compliance.

While CMMC 2.0 has greatly reduced its requirements compared to its original form, it remains an extensive undertaking for any DIB contractor handling controlled unclassified information (CUI). You should expect to spend 9-18 months at Level 2, depending on your maturity level; thankfully if you take an approach focused on security then organic success should come more quickly than anticipated.

Level 3

Level 3 certification from CMMC is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), stored, transmitted, or processed by DIB contractors.

CMMC level 3 requirements build on the preparatory and transitional work completed at levels one and two to provide expert CUI protection by incorporating NIST SP 800-171 Rev 2 plus any additional safeguards. They require more specific attention than at level 1, as they move away from implementation towards managing practices actively.

Additionally, CMMC Level 3 mandates an annual self-assessment to be completed by an accredited third-party assessor, in order to increase Department’s assurance that sensitive information shared with contractors is adequately protected – especially crucial when handling sensitive national security data.

Assessing Your CMMC Maturity

The Pentagon is in the midst of rolling out CMMC, and will soon require all contractors that handle federal contract information (FCI) or controlled unclassified information (CUI) to be certified before doing business with DoD. Companies failing to meet this standard will be disqualified.

Attaining CMMC certification can be difficult. It requires significant investments of time, resources, and money – yet is an integral step for any company working with government.

As DoD contractors or those hoping to bid on future DoD contracts, one of the first steps toward compliance management and maintenance (CMMC) should always include conducting a comprehensive gap assessment using an accredited third-party assessor like FedHive. A thorough gap analysis will allow you to understand which controls are necessary.

Once you have assessed your gaps, create a plan to remediate them and prepare for your CMMC audit. Be sure to share this plan throughout your organization, with timelines for each action taken outlined within. Next step? Schedule your audit with CMMC!