The Cybersecurity Maturity Model Certification (CMMC) framework of regulations is a relatively new governing document that combines several cybersecurity and risk management requirements to streamline security and compliance for agencies and contractors in the Defense Industrial Base (DIB) supply chain. 

Even though all DoD agencies do not yet require this framework, its roadmap suggests that it will become a requirement in the coming years.

Central to CMMC regulations are three security levels, each determining the data a contractor can manage in their systems. These levels are distinguished by an escalating series of requirements regarding an organization’s technical capabilities and abilities. 

What is the Relationship Between CMMC and Controlled Unclassified Information (CUI)?

CUI is a very specific form of data within government and defense work. The Defense Counterintelligence and Security Agency defines CUI as “government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies.”

More concretely, CUI is sensitive government information generated in the operation of government agencies and their contractors that does not fall under the purview of military classification. While classified information usually follows more stringent security procedures (like being managed through the SIPRNet router network), CUI does not. At the same time, CUI is sensitive information that needs protecting, just not to the same standards as classified information. 

To standardize the management of CUI, the federal government consolidated several regulatory documents and requirements, including NIST SP 800-171, to promote good “cyber hygiene,” or the capacity of contractors to reliably and effectively prevent, manage and remediate security events. Previously, contractors were only required to self-report NIST 800-171 readiness. CMMC has changed that so that regulations are more exact depending on data requirements, and certification requires a Certified Third-Party Assessment Organization (C3PAO) to audit and certify their systems. 

Processes and Practices Under CMMC

To help auditors and contractors understand the requirements of each CMMC security level, the CMMC Accreditation Board (CMMC-AB) uses a series of classifications outlining the roles, responsibilities and capabilities an organization must meet for each level. 

Two primary classifications pertain to certification levels:

• Processes: Processes are specific acts, governance and risk assessments and technical capabilities that an organization can use to achieve specific cybersecurity goals.
• Practices: Practices are your ability to implement controls within CMMC. Practices more specifically relate to the concept of “cyber hygiene” under CMMC, with the number of processes increasing the quality of an organization’s hygiene.

At each level of CMMC, your organization must be able to meet an increasingly rigorous measurement of the processes you have in place and the practices that you can put into place. 

The Three Levels of CMMC Certification

With those facts in mind, we can break down the basics of CMMC certification levels:

1. Level 1: The most basic level, any company seeking CMMC certification will be expected to, with little effort or change, meet Level 1 requirements. At this level, your organization must implement 15 controls from the National Institute of Standards and Technology (NIST) Special Publication 800-171.
   
2. Level 2: At Level 2, you are looking at implementing every single control (110 in total) from NIST SP 800-171. This is the minimum level required to handle CUI as a defense contractor.
3. Level 3: This certification level is for advanced contracts where systems will deal with complex challenges related to Advanced Persistent Threats (APTs). You’re expected to implement the 110 controls from NIST SP 800-171 and an additional 24 controls from NIST SP 800-172.

As you might notice, higher security levels call for more advanced and proactive security measures. The level of certification you’ll need will, in part, be dictated by an RFP from a DoD agency. However, you can also proactively achieve any level of CMMC certification for preparation or best cyber hygiene practices. 

However, if you plan on ever working with an agency handling CUI, CMMC certification Level 2 is the minimum standard. 

Prepare for CMMC Auditing with Continuum GRC

Two of the best ways to approach audits and certification are with expertise and automation. With the Continuum GRC platform, we can support all your Governance, Risk Assessment and Compliance needs as they relate to CMMC certification. Our automated ITAM platform provides templates and modules for all 5 CMMC certification levels. More importantly, our system and team of experts can help you better understand your requirements and obligations under related regulations, including FISMA and NIST guidelines. 

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.