CMMC Compliance

CMMC was implemented due to the scarcely low adoption rate of NIST 800-171. CMMC can help you set the stage for complying with security standards in accordance to the company’s needs. Also as briefly mentioned earlier it can improve security policies, procedures, standards, and protect your company’s Intellectual Property (IP).

In the DOD, entities and contractors vary from international contractors to national workers. Besides the DOD, contractors compose other federal agencies. As a contractor, jobs permit manufacturing and maintenance of government equipment and systems. With this in mind, contractors work with defense related products. These include weapons and vehicles used for military operations. In a nutshell, this diversity is complex and spans in different sectors. Companies who must abide by the CMMC requirement must be compliant in order to bid on any government contracts available to contractors in the Defense Industrial Base (DIB).

CMMC version 1.0 includes 5 levels and each has a different number of controls but grows in size and scope with each level. This can start to becoming a challenge quickly if you are not experienced with these controls prior and you will end up wasting lots of time and effort. The best way to be prepared for a CMMC Compliance Assessment or Pre-Assessment is to get your documents in order. Make sure they are updated and accounted for because good documentation is half the challenge. Below the levels of CMMC compliance are listed with how many controls are in each level.

CMMC compliance provides various levels of security checks. Different system checks and parameters depend on organizations needs and openness. Given these points, each level has a given amount of practices.

Level 1: Basic Cyber Hygiene – CMMC Level one focuses on the foundation of NIST CMMC and must be completed by any DoD contractor that works within the defense Industrial Base (DIB). It was modeled after  48 CFR 52.204-21 and It addresses things such as implementing the proper cyber practices including security training and antivirus software. In addition, it ensures Federal Contract Information (FCI) is protected but there is no process maturity requirement for level one.

Level 2: Intermediate Cyber Hygiene – Level two is geared towards the protection of Controlled Unclassified Information (CUI). It is required that organizations keep a record of certain “intermediate cyber hygiene” practices. The level has much overlap with NIST 800-171 r2 controls and makes it simple to be CMMC Level two compliant if there is proof of compliance with the framework.

Level 3: Good Cyber Hygiene – Level three further extends the requirements of Level two that focus on the protection of CUI. This level is comprised of 47 security controls that must be properly documented. Also if the company is subject to DFARS compliance those regulations are still is in effect.

Level 4: Proactive: Level four of the CMMC introduces the requirement for organizations to be proactive in defending against advanced persistent threats (ATPs*). CMMC guidelines state, level four is intended to be the minimum level for prime contractors working with CUI. It replicates some of the requirements of DFARs, whilst also putting these into a framework in which they can be worked towards. Level 4 CMMC maturity indicates review and review documentation informs upper management of issues requiring remediation.

*APT –  not your basic threat, has a sophisticated levels of expertise and resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors and seems to be common form of cyber espionage.

Level 5: Advanced/Progressive – the final level of the CMMC and defines those organizations that are Advanced/Progressive/State-of-the-Art in cybersecurity. The CMMC defines 30 extra security controls – over level four – that need to be put in place in order to achieve level five. Whether level five will become the standard for DoD contractors is unclear. Process level maturity at this most advanced level indicates the company that has been DoD CMMC certified ensures processes have been standardized and implemented uniformly across their entire company.

In order to get started, you must baseline where you currently stand in the process. We call this the CMMC “Pre-Assessment”. The System Security Plan (SSP) and (POA&M) must be reviewed before starting the CMMC Assessment. CMMC requires organizations to be trained, have an accreditation license, and sometimes get a background check. The two most popular services we offer are documented below.

All in all, CMMC is at its infancy, but has grown and provides better coverage to information and systems. Although it includes NIST standards, it does not cover all the NIST policies. If an organization is CMMC compliant, it does not mean that they are NIST compliant and vice versa. Compliance and policies provide safety for organizations and avoid security vulnerabilities and exploits. At Praetorian Secure, we can provide these services and more, just contact us and we will find your ideal cyber security compliance solution.