Posted by Drew Kaiser on Jun 8, 2021
Effective November 30, 2020, all contractors working with the Department of Defense (DoD) are required to have Cybersecurity Maturity Model Certification (CMMC). Developed by the DoD, the CMMC is the unifying standard for implementing cybersecurity across the Defense Industrial Base (DIB). The purpose of the CMMC is to protect intellectual property and keep U.S. secrets secure.
All companies that interact with or manufacture products for the DoD will need to comply with the CMMC standards. All new proposal requests now require CMMC certifications. By 2025, all contractors interacting with the DoD. Will be required to show proof of CMMC certification.
There are five levels of certification in the CMMC. Each level introduces new security practice requirements necessary for certification.
Watch our Introduction to CMMC Practice Progression for more information
CMMC Level 1 is an introduction to best practices and processes for basic cybersecurity hygiene. Cyber hygiene refers to best practices computer system administrators and users can use to improve cybersecurity in common online activities such as email, using the Internet, virtual meetings, etc.
The six basic cyber hygiene practices include:
Basic cyber hygiene practices correspond to the basic safeguard requirements specified in 48 CFR § 52.204-21. Safeguarding is required for any system that processes, stores, or transmits federal contract information.
Level 2 adds security requirements that are specified in NIST SP 800-171, which is currently in its second revision. NIST SP 800-171 is used to protect controlled, unclassified information, which is typically stored in non-federal systems and organizations.
The requirements introduced in Level 2 establish documented practices and policies to help guide the implementation of CMMC efforts across federally contracted organizations. Specifically, the documentation and practices are established to protect controlled, unclassified information used by an organization.
Watch this video for more details around the requirements for CMMC Level 2
Certification of CMMC Level 3 is the best level for small and medium businesses to achieve. This is an ideal level for businesses who do not directly work with the DoD or government agencies but do conduct business with large companies that support the DoD.
Level 3 CMMC manages the processes and practices for controlled unclassified information (CUI). CUI is government created or owned information that requires the safeguarding or dissemination controls consistent with applicable laws, regulations and policies. CUI is not considered classified information, but still requires some level of protection from unauthorized access.
Level 3 introduces new processes and new required practices. NIST SP 800-171 introduces more standards in this level to help mitigate threats.
Watch this video for more details around the requirements for CMMC Level 3
At this level, an organization is required to have a more in-depth management process for policies and practices for CUI. Effectiveness is also measured at this level.
Subcontractors who indirectly work with the DoD may be required to achieve Level 4 certification and is a minimum requirement for organizations working directly with the DoD.
The added practices and controls at this level are aimed to protect organizations and the DoD from advanced persistent threats (APT). APTs require an incident response (IR) process to help defend against these malicious attacks. The IR process is executed by a computer incident response team (CIRT) who have a wide breadth of knowledge of the organization’s networks, systems and security controls, with the goal to help defend against the APT.
Watch this video for more details around the requirements for CMMC Level 4
The main goal at CMMC Level 5 is to standardize and optimize an organization’s approach to security across the entire business.
CMMC Level 5 encompasses requirements from CMMC levels one through four and adds the remaining requirements from NIST 800-172 and NIST 853.
Organizations with Level 5 certification can handle incidents and take corrective action to remediate a threat. The CIRT is required to have the ability and knowledge to investigate an issue, either virtually or on site, within 24-hours.
Watch this video for more details around the requirements for CMMC Level 5
As FED and SLED organizations look to become CMMC-compliant or advance their way through each level of compliance, it’s a critical time to start planning current and future budgets to support this initiative. As you plan, ask yourself:
Each level of the CMMC certification comes with robust cybersecurity practices and policies. Cisco Zero Trust Security for CMMC addresses all levels to help protect and ensure your organization is in compliance with these new regulations.
Cisco offers a robust security portfolio and these solutions can help you easily achieve certification levels. From authentication, to verification, all the way to overall device and system security, there is a Cisco product that will work for you.
To get started, visit the Tech Data Cisco Security page and get in touch with our cybersecurity experts.
