Whether your company has done business with the Department of Defense in the past or you’re looking into the possibility of bidding on a government contract, you need to understand CMMC. Cybersecurity Maturity Model Certification is required for virtually all contractors working for the DoD. In November of 2021, the DoD updated CMMC requirements, releasing a model known as CMMC 2.0. What changes should your business be aware of?
What Is CMMC About?
Before diving into the substantial changes from CMMC 1.0 to 2.0, it’s worth taking a moment to review the purpose of CMMC in the first place. Put simply, CMMC unifies the various data security requirements that DoD contractors have had to follow for a while now. Instead of giving different sets of instructions to different contractors, CMMC establishes stable guidelines for all contractors.
CMMC compliance is expected of the majority of businesses that interact with DoD projects on any level. The only exception is vendors of completed goods that are available on the open market. Other businesses wanting to pursue lucrative DoD contracts must obtain some level of CMMC certification, even if the protected data only includes purchase order numbers and contact information.
How Many Levels Are There in CMMC 2.0?
One of the biggest changes to CMMC 1.0 involves the number of different certification levels available for contractors.
CMMC 1.0 Certification Levels
CMMC 1.0 had a total of five different data security levels:
- Level 1 — Basic cyber hygiene: Basic security practices, including physical security, antivirus protection and smart password habits. This level involved things that any business should be doing anyway to keep its files secure.
- Level 2 — Intermediate cyber hygiene: This intermediate level involved following some, but not all of the requirements laid out in document NIST 800-171. Instead of 17 basic practices, the companies needed to implement a total of 56 guidelines.
- Level 3 — Good cyber hygiene: This key level required contractors to implement all requirements from NIST 800-171. These requirements covered areas such as access control, system protection, authentication processes, audits, security assessments and risk assessments. Businesses needed to train their personnel to follow security procedures at all times.
- Level 4 — Proactive: This level required businesses to implement updated data security practices from a revised version of the CMMC guidelines.
- Level 5 — Advanced or Progressive: The highest level of CMMC certification, level 5 required contractors to meet even more stringent audits. In addition to following good data security practices, these businesses had to show they were preparing for future threats.
In practice, the majority of DoD contractors either aimed for level 3 or level 5 certification.
CMMC 2.0 Levels
The new CMMC guidelines make significant changes to the number of levels and the requirements of each one:
- Level 1 — Foundational: To obtain certification, contractors must perform a self-assessment each year and follow 17 guidelines from the new NIST SP 800-171 Revision 2.
- Level 2 — Advanced: Level 2 CMMC certification requires contractors to implement 110 controls from the NIST SP 800-171. This corresponds closely to the old level 3, though some requirements have shifted. Instead of self-assessment, third-party controls are required.
- Level 3 — Expert: Now, in addition to all of the requirements of the previous levels, contractors seeking level 3 CMMC certification must also comply with part of NIST SP 800-172. This document outlines enhanced security requirements.
Businesses handling secret or top-secret data must follow expert-level data security practices.
What Has Changed With CMMC 2.0?
Put simply, CMMC 2.0 eliminated the previous level 2 and level 4 certifications. One reason for the change is that many small businesses found the costs of additional certification cost-prohibitive. In addition, the extra requirements of level 2 and level 4 seemed poorly received and not relevant for many government contracts. The CMMC 2.0 also outlined the system of third-party audits for certification, also known as C3PAO.
How Do You Know Which Level of CMMC To Pursue?
Each contract specifies the level of CMMC certification required for handling data securely. Your business must follow the associated data security practices for Controlled Unclassified Information or Federal Contract Information.
Note that you’re only required to implement controls for systems handling CUI and FCI, not your entire business. You can handle data security for other customers as you see fit.