What Subcontractors Need to Understand About the Three Levels of CMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) program continues to evolve, bringing significant changes and implications for businesses operating within the Defense Industrial Base (DIB). As the rulemaking process progresses and updates are introduced, it becomes crucial for subcontractors in the DIB to stay informed about these changes and understand the key points that can impact their operations. Let’s walk through the essentials of CMMC to better understand its evolution and the key aspects subcontractors in the DIB should be aware of.
CMMC 2.0 Explained
CMMC is a framework established by the U.S. Department of Defense (DoD) to assess and enhance the cybersecurity posture of organizations within the DIB. It aims to protect sensitive information and ensure that adequate cybersecurity practices are in place throughout the contractor supply chain.
As the CMMC program evolves, it is essential to stay up-to-date. Currently, we’re still waiting for the rulemaking process to complete as the requirements and implementation guidelines for CMMC are finalized. The DoD releases updates and news as they have new developments, but it has proven to be a challenge for businesses to navigate, especially when it comes to which requirements they need to meet. Here is what we know so far about this process.
The CMMC framework originally consisted of five levels, each representing an increasing level of cybersecurity maturity. This has since been reduced to 3, with Level 3 controls yet to be finalized. Contractors will be required to meet specific requirements outlined in one of these levels based on their involvement in handling sensitive DoD information.
To oversee the certification process, training, and assessment of contractors, the CMMC Accreditation Body (CMMC-AB) was established. They work with Certified Third-Party Assessment Organizations (C3PAOs). C3PAOs play a crucial role in assessing and certifying organizations’ compliance with CMMC.
That being said, we still don’t have a concrete date for when this framework will be codified and start appearing in new DoD contracts. In the meantime, we are seeing prime contractors starting to proactively enforce compliance among their subcontractors. This is to ensure a seamless transition once CMMC is released, and that all partners are doing their due diligence when it comes to protecting our most important information.
CMMC Levels and Subcontractors
It may feel daunting to subcontractors understanding each level of CMMC and the required controls, on top of assessment and ongoing support. While the framework is still waiting to be codified, we do know that each contractor will only need the level of compliance aligned with the data that they specifically work with, not what’s defined in the contract as a whole. For example, if a prime contractor is compliant at Level 3, but they only pass FCI data to their subcontractors, that subcontractor only needs to be certified at a Level 1.
So, what do all the levels entail? And which one is right for your business? We’ve outlined them below to help you get started.
At Level 1 certification within the CMMC framework, organizations in the defense industrial base are expected to have basic cybersecurity practices in place. It consists roughly of 17 controls and is for organizations that only process federal contract information. This is intended for contractors only working with Federal Contract Information (FCI). At this level, you can self-assess.
Level 2 certification is meant for organizations processing controlled unclassified information (CUI) data. At this level, organizations will be expected to meet at least 110 controls derived from NIST SP 800-171. Organizations at this level will also require an assessment from an approved and authorized third-party provider.
While Level 3 controls have yet to be finalized, the government is actively working to define these at the time of publishing this article. This level is intended for organizations who process CUI data but at a higher, more sensitive nature. As of now, we know that at a minimum Level 3 contractors will need to follow 110+ security practices based on NIST SP 800-171 and -172. Assessments at this level will also go through a government-led assessment, rather than a self-assessment or working with a third-party.
What’s Next for CMMC?
As the CMMC program continues to evolve, businesses within the DIB must stay well-informed about the framework and its evolving updates. By staying engaged and keeping track of the direction of this framework, subcontractors can signal trust to their clients and partners, continually enhance their cybersecurity posture, and ensure compliance readiness.
Our best advice is to stay proactive. If you are overwhelmed or unsure of how this process may affect your business, you can engage with a trusted cybersecurity partner like USX Cyber, and leverage our expertise to support your CMMC journey. To start, check out our webinar on CMMC for more information or reach out to our experts directly so we can help protect sensitive information, strengthen the defense supply chain, and contribute to a more secure future.
Remember, CMMC compliance is not a one-time task but an ongoing commitment to maintaining robust cybersecurity practices within the Defense Industrial Base.