The Under Secretary of Defense for Acquisition and Sustainment (OUSD(AS)) created Cybersecurity Maturity Model Certification (CMMC) to protect controlled unclassified information (CUI) and federal contract information (FCI) across the defense industrial base (DIB). The DIB loses billions of dollars a year due to vicious cyber breaches and other acts of data theft. This continued loss generated a response from the Department of Defense to create and maintain a cyber secure and resilient nation with CMMC.

Many stakeholders across the DoD, research centers, and industry came together to create cybersecurity standards, processes, and practices that accumulate the five levels of CMMC. SoundWay Consulting delivers answers to organizations like yours on how to navigate the five levels in CMMC.

CMMC has 5 levels of maturity, with each level increasing in requirements, and complexity. The first three levels come from the existing 110 requirements found in NIST Special Publication 800-171Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations” and at Level 3, include additional controls from the Carnegie Mellon Resilience Maturity Model (RMM). The more advanced levels 4 and 5 encompass a more advanced cyber security posture that expand outside of NIST 800-171 requirements, with level 5 totaling in 171 practices. For your knowledge, the DoD will state the necessary CMMC level for contractors in each request for information (RFI) or request for proposal (RFP).

Prior to CMMC, nonfederal organizations in the DIB were able to confirm their cyber posture with self-assessment. Now, with CMMC in place it requires a C3PAO, a Third-Party Assessor Organization to supply official certification. These 3CPAOs assess DIB unclassified networks and issue the appropriate level of certifications. Each 3CPAO is trained and authorized by the CMMC Accreditation Body (CYBER-AB) who works concurrently with the Department of Defense (DoD) on CMMC.

Level 1 (L1) Process: Performed & Practices:

Basic Cyber Hygiene. Level 1 requirements are listed in the Federal Acquisition Regulation (FAR) CFR 52.204-21 and is not assessed for maturity process because it is not documented. Level 1 is right for contractors that only deal with FCI, and do not work with CUI. Some of the requirements include the following: limit access to authorized users and devices, limit access to certain transactions and functions, protect your companies’ communications, and protect your organization from potential malicious code. To obtain L1 you must adhere to all 17 practices across 6 domains and a total of 9 capabilities. There is no official process, only practices.

Level 2 (L2) Process: Documented & Practice:

Intermediate Cyber Hygiene. Level 2 is the start of the maturity level process and consists of requirements in NIST 800-171 that describe the steps necessary to protect CUI. Level 2 will prepare your organization for meeting all the requirements necessary for level 3 maturity. To become certified in L2 you must complete a total of 72 practices, an added 55 from what you would have already carried out in L1. With a total of 15 domains included in level 2, and because L2 is part of the maturity process, you must document all practices.

Level 3 (L3) Process: Managed & Practice: Good Cyber Hygiene.

Level 3 encompasses all 17 domains and ensures that you are taking the proper measures to protect CUI and documenting your L1, L2, & L3 cybersecurity plan. By L3 you have obtained the 110 requirements listed in NIST 800-171 and 20 added practices listed in documents like DFARS clause 252.204-7012. The appointed “people resources,” “funding resources,” and “tools” in place at L3 allow for a more comprehensive cybersecure documented plan.

Level 4-5 certification verifies that you are not only protecting CUI but equipped with reducing the risk against Advanced Persistent Threats (APT)

Level 4 (L4) Process: Reviewed & Practice: Proactive.

At a level 4 certification both qualitative and quantitative metrics are in place for measuring and controlling your process against your plan. L4 has 26 practices and 17 processes that are both technically and policy driven. Some of the enhanced security requirements that focus on the protection of CUI are in NIST 800-172, formally known as NIST 800-171B. The process of review specifically references the following: Review and measure [DOMAIN NAME] activities for effectiveness, found in document CERT RMM v1.2. Any organization certified in L4 has appointed higher management with a thoroughly proven cyber process.

Level 5 (L5) Process: Optimize Cybersecurity & Practice: Advanced/Proactive.

Level 5 is the highest and final level of certification in CMMC. By L5 continuous planning an organization is proactive in protecting, perfecting, and standardizing their process implementation. L5 totals in 171 control requirements and spans across all 17 domains. The main difference between level 5 and level 4 is that 5 has greater sophistication of cybersecurity practices. At L5 an organization has real time asset tracking, a 24/7 response team prepared to act against any threat, detecting malicious threats, and other intricate actions.

As CMMC continues to advance, SoundWay Consulting is here to do our part and keep you informed and up to date. We are a Registered Provider Organization (RPO) and listed in the CYBER-AB marketplace. We continue to supply resources like this blog to organizations like yours and are here to be your trusted partner.

Check out some of our other resources and drop us a note so we can talk about your journey in CMMC compliance.