As DoD contractors, it is important to be aware of the CMMC certification regulations that came out in 2020. These regulations set the cybersecurity standards that DoD contractors must meet in order to do business with the Department of Defense.
In this blog post, we will discuss what level of cybersecurity is required in order to meet CMMC certification regulations. We will also provide information on DoD security regulations and how you can prepare to achieve certification.
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a DoD certification program that requires contractors to meet certain cybersecurity standards. The CMMC was created in response to the growing number of cyber attacks against the DoD and its contractors.
In order to be certified, contractors must demonstrate their ability to protect DoD information from cyber threats. Businesses do this through meeting DoD security regulations and passing a third-party audit.
What Level of Cybersecurity Do DoD Contractors Need to Meet CMMC Certification Regulations?
In order to meet DoD security regulations, DoD contractors must implement the appropriate level of cybersecurity controls. The level of controls required depends on the sensitivity of the DoD information that will be processed, stored, or transmitted by the contractor.
Additionally, DoD contractors must have a formalized cybersecurity program that includes policies and procedures for managing cybersecurity risks. The program must be designed to meet the specific needs of the contractor and the DoD information they will be handling.
CMMC Levels Explained
When CMMC was originally established, the DoD outlined five levels of security for their contractors. Now with CMMC 2.0, there are only three levels:
- Foundational: This level applies to organizations that protect FCI (Federal Contract Information). Similar to the original Level 1 CMMC requirements, you’ll need to meet 17 FARs controls and complete an annual self-assessment.
- Advanced: This level is for companies working with CUI (Controlled Unclassified Information). It is comparable to the original Level 3 CMMC requirements, with some requirements dropped, and now mirrors NIST SP 800-171 exactly.
- Expert: This level is focused on mitigating the risks associated with APTs (Advanced Persistent Threats) and is for companies working with CUI on high-priority DoD contracts. Similar to the original Level 5 CMMC requirements, expert level is still being defined and will be based on NIST SP 800-171 and certain controls from NIST SP 800-172.
The redefinition of the levels and establishment of CMMC 2.0 allows for more access for small and medium size businesses into contract roles, prioritizes DoD information security, and connects the DoD with the cybersecurity industry.
How To Achieve Certification
In order to achieve CMMC certification, DoD contractors must go through an assessment process. This process includes a review of the contractor’s cybersecurity program by a third-party certified assessor, as well as on-site inspections of their facilities and systems.
Once the assessment is complete, the DoD will provide the contractor with a report that outlines their compliance status. If the contractor meets all of the requirements, they will be issued a CMMC certificate.
If you are a DoD contractor or want to contract with the DoD, it is important to start working towards CMMC compliance as soon as possible. The sooner you prepare, the easier it will be to meet the requirements. There are many resources available to help DoD contractors with CMMC compliance. The DoD has published a number of guides and resources on their website.