The Cybersecurity Maturity Model Certification (CMMC) framework of regulations is a relatively new governing document that brings together several cybersecurity and risk management requirements to streamline security and compliance for agencies and contractors in the Defense Industrial Base (DIB) supply chain.
Even though this framework is not, as of yet, required by all DoD agencies, its roadmap suggests that it will become a requirement in the coming years.
Central to CMMC regulations are five security levels, each of which determines the kinds of data a contractor can manage in their systems. These levels are distinguished by an escalating series of requirements in terms of an organization’s technical capabilities and abilities.
What is the Relationship Between CMMC and Controlled Unclassified Information (CUI)?
CUI is a very specific form of data within government and defense work. The Defense Counterintelligence and Security Agency defines CUI as “government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies”.
More concretely, CUI is sensitive government information generated in the operation of government agencies and their contractors that does not fall under the purview of military classification. While classified information usually follows more stringent security procedures (like being managed through the SIPRNet router network), CUI does not. At the same time, CUI is sensitive information that needs protecting, just not to the same standards as classified information.
To standardize management of CUI, the federal government consolidated several regulatory documents and requirements, including NIST SP 800-171, to promote good “cyber hygiene”, or that capacity of contractor to reliably and effectively prevent, manage and remediate security events. Previously, contractors were only required to self-report NIST 800-171 readiness. CMMC has changed that so that not only are regulations more exacting depending on data requirements, but certification also requires a Certified Third-Party Assessment Organization (C3PAO) to audit and certify their systems.
Processes and Practices Under CMMC
To help auditors and contractors understand the requirements of each CMMC security level, the CMMC Accreditation Board (CMMC-AB) uses a series of classifications outlining the roles, responsibilities and capabilities an organization must meet for each level.
Two primary classifications pertain to certification levels:
- Processes: Processes are specific acts, governance and risk assessments and technical capabilities that an organization can use to achieve specific cybersecurity goals.
- Practices: Practices are your ability to implement controls within CMMC. Practices more specifically relate to the concept of “cyber hygiene” under CMMC, with the number of processes in place increasing the quality of an organization’s hygiene.
At each level of CMMC, your organization must be able to meet an increasingly rigorous measurement of the processes you have in place and the practices that you can put into place.
The Five Levels of CMMC Certification
With those facts in mind, we can break down the basics of CMMC certification levels:
- Level 1: The most basic level, any company seeking CMMC certification will be expected to, with little effort or change, meet Level 1 requirements. At this level, your organization must meet Basic Cyber Hygiene practices, including the ability to implement simple measures like access control and authentication, limit physical access to systems (including managing visitors, destroy old media responsibly, and other practices. You should also be able to Perform these practices effectively–that is, system maturity isn’t expected at this level so long as the practices stated are present.
- Level 2: At Level 2, you are looking at Intermediate Cyber Hygiene, which includes everything from Level 1 plus implemented controls to control access least privileges, limiting portable storage, and more advanced training. At the same time, you should be able to Document your processes, including developing guides for implementation so that they can be implemented repeatedly. Level 2 is not a common Level to achieve outside of serving as an intermediary space between Levels 1 and 3.
- Level 3: This certification level is the minimum your organization must achieve to handle CUI in any form. At Level 3, you’re moving into Good Cyber Hygiene. This includes all the practices from previous levels plus several more advanced abilities, including the ability to encrypt wireless communications, deploy encrypted remote access, control mobile device access and encrypt any CUI on mobile devices (among other controls). Additionally, your organization must demonstrate the ability to Manage, plan, conceive an overarching security management policy. This includes documenting your mission, goals, training, stakeholders and resources across your IT infrastructure.
- Level 4: A specialized designation, certification level 4 encompasses enhanced security guidelines from NIST SP 800-171B, which includes protections tailored to address Advanced Persistent Threats (APTs). Level 4 also includes that your organization demonstrates the ability to Review and measure your security infrastructure in a way that leads to a better understanding of security gaps and effectiveness.
- Level 5: At Level 5, you’re taking proactive security measures and exhibiting Optimized management of those measures. At this level, you should be able to maintain a cyber incident response team to handle security events, leverage SIEM or other auditing tools for event management, implement detection and intrusion systems and analyze network traffic. On top of that, you should be able to analyze and optimize your own internal security processes continually in the face of evolving cybersecurity threats. At this level you are expanding your capacity to protect CUI from APTs.
As you might notice, higher security levels call for more advanced and proactive security measures. The level of certification you’ll need will, in part, be dictated by an RFP from a DoD agency. However, you can also proactively achieve any level of CMMC certification for preparation or best cyber hygiene practices.
Note, however, that if you plan on ever working with an agency handling CUI, CMMC certification Level 3 is the minimum standard.
Prepare for CMMC Auditing with Continuum GRC
Two of the best ways to approach audits and certification are with expertise and automation. With the Continuum GRC platform, we can support all your Governance, Risk Assessment and Compliance needs as they relate to CMMC certification. Our automated ITAM platform provides templates and modules for all 5 CMMC certification levels. More importantly, our system and team of experts can help you better understand your requirements and obligations under related regulations as well, including FISMA and NIST guidelines.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.