What is CMMC?
CMMC is the U.S. Department of Defense’s new Cybersecurity Maturity Model Certification. It is a requirement that all suppliers, contractors, and sub-contractors establish internal controls to protect Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other data, network, and systems of the Defense Industrial Base (DIB) sector. Previously, companies could conduct an internal compliance assessment to self-certify with the appropriate Defense Federal Acquisition Regulations (DFARs). In the near future, companies will need to pass an audit conducted by a certified third-party assessment organization (C3PAO).
What are the 5 CMMC levels? The maturity levels of CMMC certification correspond to different cybersecurity processes and practices. The five levels are:
Level 1: Basic Cyber Hygiene – corresponds with the 17 basic cyber security processes that must be performed to protect rules in NIST SP 800-171 Rev 2.
Level 2: Intermediate Cyber Hygiene – focus on establishing and documenting practices and policies for compliance related to 72 cybersecurity requirements.
Level 3: Good Cyber Hygiene – corresponds to 130 cybersecurity processes including all Level 1 and 2 maturity requirements.
Level 4: Proactive – focus on 156 cyber security practices including all Level 1, 2 and 3 requirements, which must be reviewed and measured for effectiveness.
Level 5: Advanced/Progressive – corresponds to 171 cyber security processes, including all Level 1, 2, 3 and 4 requirements that includes increased depth and sophistication of cyber security capabilities.