March 4, 2020

    Cybersecurity Maturity: Decoding CMMC Levels for Clarity

    The Cybersecurity Maturity Model Certification is a relatively new security framework created to help government contractors standardize security controls used to protect CUI  (controlled unclassified information). The Department of Defense plans to migrate to this new level-based certification model starting in June 2020.

    The CMMC framework is designed to indicate the maturity of a company’s cybersecurity efforts. The more mature your security controls are, the higher the level you will obtain. The ability to handle sensitive data will be dependent on your certification level. 

    As a provider of government-compliant data-sharing software solutions, Sharetru plans to study these new regulations to ensure we get the correct certification level so we can provide our users with compliant and up-to-date solutions.

    The DoD has also stated that one reason the CMMC framework is being implemented is to “identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.” DoD contractors must have at least a Level One certification to be eligible for government contracts. It’s also important to note that even subcontractors must have their CMMC.dfa

    Up until the announcement of the new CMMC framework, government contractors have faced the challenge of choosing which of the numerous security standards published by the U.S. government to follow. This is particularly difficult as different standards apply to different types of government contractors. 

    The new CMMC model which has 4 steps to becoming compliant, however, combines all relevant security standards into a single framework, drawing from numerous government mandates to create the different CMMC levels including:

    • FAR Clause 52.204-21
    • NIST SP 800-171 Rev 1
    • Draft NIST SP 800-171B
    • CIS Controls v7.1
    • NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1
    • CERT Resilience Management Model (CERT RMM) v1.2
    • NIST SP 800-53 Rev 4
    • DFARS
    • And more

    Before we look at the specifics of each of the CMMC levels, let’s look at the objectives of each level:

    • Level 1: Basic safeguarding of FCI (Federal Contract Information)
    • Level 2: Transition step to protect CUI
    • Level 3: Protecting CUI
    • Levels 4-5: Protecting CUI and reducing risk of APT

    Knowing the broad goals of the five levels will help you better understand the specific steps you must take to qualify for each level. As you navigate the CMMC process, it’s important to know what level you’re working toward. 

    Let’s take a closer look at the five CMMC levels and the security controls each one entails. 

    Level 1: Basic Cybersecurity Hygiene

    Level 1 or Basic Cybersecurity Hygiene is the lowest level of security controls a government contractor must have in place to earn a Cybersecurity Maturity Model Certification. Because the main objective is to safeguard FCI, you only need the basic security controls in place to qualify for this maturity level. However, all government contractors must obtain at least this level of CMMC to be eligible for government contracts. 

    View Level 1 as the foundation on which all other levels build. With basic security controls in place, you should be able to adequately protect FCI, information which is not intended for public release. Level 1 has 17 practices that qualifying government contractors must meet. These practices are derived from Federal Acquisition Regulation (FAR) 48 CFR 52.204- 21. (All subsequent levels also require alignment with FAR.)

    Level 2: Intermediate Cyber Hygiene

    Level 2 is the transitional phase between basic security measures and sound protection of CUI. This is the bridge between baseline requirements and the authorization to handle sensitive data. Reaching this level indicates that a contractor is working toward good cyber hygiene, but is continuing to establish the processes needed to protect CUI.

    To obtain this level, contractors must demonstrate they have 72 specific security practices in place. In addition to complying with FAR regulations, Level 2 includes a subset of 48 practices outlined in NIST SP 800-171 and 7 additional practices that support intermediate cyber hygiene. 

    Level 3: Good Cyber Hygiene

    Organizations that have reached CMMC Level 3 have the basic security controls in place needed to protect sensitive data. Building on the security requirements of Levels 1 and 2, obtaining Level 3 indicates contractors have 130 cybersecurity practices in place. These practices include the ones outlined in FAR, all of the practices listed in NIST SP 800-171, and 20 additional practices essential for good cyber hygiene. There are some key similarities and differences between CMMC and NIST 800-171 you should be aware of.

    While Level 3 indicates progress in cybersecurity maturity, contractors at this level may not be the best option for government agencies using highly sensitive data, as these contractors may have vulnerabilities, like resisting APT (advanced persistent threats).

    Level 4: Proactive 

    Government contractors who have reached Level 4 have demonstrated that they have established cybersecurity best practices and are now proactively assessing and adjusting those practices to better protect against emerging and evolving threats. 

    To reach Level 4, organizations must have 156 practices in place. In addition to all the practices needed for Level 3, contractors must also have a select subset of 11 practices from Draft NIST SP 800-171B in place. There are also 15 additional practices that should be in place to demonstrate that the organization’s cybersecurity program is proactive.

    Level 5: Advanced / Progressive

    Finally, the most advanced level, in terms of cybersecurity maturity, is Level 5. One hundred and seventy-one practices are required to reach Level 5. In addition to FAR, organizations should have established all practices from NIST SP 800-171 r1, a select subset of 4 practices from Draft NIST SP 800-171B, and an additional 11 practices that demonstrate they have an advanced cybersecurity program in place. 

    These organizations have established a mature, progressive, and standardized cybersecurity program and can be trusted to handle the most sensitive data. 

    June 2020 is rapidly approaching. To ensure the process of obtaining your CMMC level goes smoothly, it’s important to start implementing the appropriate security practices now. Consider which level is the ideal option for your organization and assess your security controls to ensure they’re in alignment with that level’s objectives. 

    If they are, take steps to address these issues. With the appropriate controls in place, you’ll obtain your CMMC level with ease.

    If you plan to gain your certification or want to gain a fuller understanding of government file-sharing compliance, check out our ITAR, EAR & DFARS Compliance Guide to get started.

    Tag(s): Government

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts