Your Guide to the New CMMC 2.0 Levels
The Department of Defense announced updated requirements and guidelines for the Cybersecurity Maturity Model Certification (CMMC) in November 2021. The CMMC establishes cybersecurity protocols that protect digital assets, controlled information, and more across the supply chain that impacts our national security.
What Is CMMC 2.0?
The Cybersecurity Maturity Model Certification (CMMC) is the compliance standard for organizations that operate in America’s Defense Industrial Base (DIB), established in order to safeguard digital assets, sensitive yet unclassified information, and more across the supply chain.
CMMC’s framework is comprised of three important components:
- Tiered model: CMMC cybersecurity requirements should reflect the corresponding type and sensitivity of the information being handled, increasing in stringency as information sensitivity increasingly grows; this component of the CMMC framework also describes how data is passed on to third-party contractors
- Assessment requirements: CMMC stipulates assessments either by the organization itself or by authorized parties to confirm cybersecurity measures are established and followed
- Implementation through contracts: In order for some DoD contractors to bid on DoD contracts, the bidding organizations will need to demonstrate compliance as necessitated by the project
Your Guide to the New CMMC 2.0 Levels
The revised CMMC 2.0 model consolidates the original 5-levels of compliance into a neater 3 levels for organizations to follow.
Level 1: Foundational
As the title suggests, Level 1 CMMC compliance is the minimum cybersecurity requirement set for DoD contractors, subcontractors, or suppliers that handle federal contract information (FCI). This level covers 17 practices from Federal Acquisition Regulation (FAR) Clause 52.204.21 and can be mapped to NIST 800-171 controls for which an annual self-assessment must be completed to maintain compliance.
The 17 practices can be broken down into six categories:
- Access Control (AC): Essentially, these practices help monitor and refine who has access to your network or other digital assets
- AC.1.001 – maps to NIST SP 800-171 Rev 2 3.1.1
- AC.1.002 – maps to NIST SP 800-171 Rev 2 3.1.2
- AC.1.003 – maps to NIST SP 800-171 Rev 2 3.1.20
- AC.1.004 – maps to NIST SP 800-171 Rev 2 3.1.22
- Identification and Authentication (IA): These practices help ensure actors within your network are verified and assigned to their appropriate roles
- IA.1.076 – maps to NIST SP 800-171 Rev 2 3.5.1
- IA.1.077 – maps to NIST SP 800-171 Rev 2 3.5.2
- Media Protection (MP): This foundational practice identifies and tracks media within your organization, and features policies regarding data sanitation
- MP.1.118 – maps to NIST SP 800-171 Rev 2 3.8.3
- Physical Protection (PE): These practices go beyond the rudimentary card swipe layers of physical protection for your organization to further strengthen physical barriers, such as monitoring visitors over the course of their entire stay within your business
- PE.1.131 – maps to NIST SP 800-171 Rev 2 3.10.1
- PE.1.132 – maps to NIST SP 800-171 Rev 2 3.10.3
- PE.1.133 – maps to NIST SP 800-171 Rev 2 3.10.4
- PE.1.134 – maps to NIST SP 800-171 Rev 2 3.10.5
- System and Communication Protections (SC): For this component of Level 1 security, these standards implement controls and encryption requirements to ensure communication within your organization is protected
- SC.1.175 – maps to NIST SP 800-171 Rev 2 3.13.1
- SC 1.176 – maps to NIST SP 800-171 Rev 2 3.13.5
- System and Information Integrity (SI): These practices include standards for basic cybersecurity hygiene like preventing malware, protecting email communication systems, ongoing maintenance of information systems, and more
- SI.1.210 – maps to NIST SP 800-171 Rev 2 3.14.1
- SI.1.211 – maps to NIST SP 800-171 Rev 2 3.14.2
- SI.1.212 – maps to NIST SP 800-171 Rev 2 3.14.4
- SI.1.213 – maps to NIST SP 800-171 Rev 2 3.14.5
These foundational standards will apply to a majority of DoD contractors, subcontractors, and suppliers who don’t necessitate compliance with the more intense standards outlined in Levels 2 or 3.
Level 2: Advanced
This intermediate level of compliance for organizations that handle controlled unclassified information (CU). It features all 110 practices from NIST 800-171 and stipulates triennial third-party assessments for critical national security information; annual self-assessments are required for select projects only.
The 110 cybersecurity practices from NIST 800-171 can be understood across 14 categories, including:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- System and communications protection
- System and information integrity
While the foundational Level 1 categories are carried over into Level 2, this intermediate level of compliance is more in-depth and comprehensive across an organization. You can read more into these specifications by looking at the extensive NIST 800-171 publication that outlines the details and expectations set forth.
Level 3: Expert
The final level of CMMC 2.0 compliance is Level 3, which is by far the most stringent. For maintaining compliance at this level, organizations must follow the 110 practices from NIST 800-171 plus 35 enhanced security requirements for protecting CUI from NIST 800-172 and complete triennial government-led assessments.
Essentially, NIST 800-172 outlines more fortified security measures to protect CUI and will apply to fewer organizations. The enhanced security requirements apply to only the following categories:
- Access Control
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
The official NIST 800-172 document itself states that:
“The enhanced security requirements address the protection of CUI by promoting: (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designs to achieve cyber resiliency and survivability. The enhanced security requirements are intended to supplement the basic and derived security requirements in [SP 800-171] and are for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.”
Ensure Your Compliance with CMMC 2.0 Today
Security Compliance Associates offers a variety of services to assess your organization’s cybersecurity controls and provide corrective advice, which helps you maintain compliance while saving time and money. By partnering with us to manage your cybersecurity posture, your internal team can address other important matters.
Contact us today at 727-571-1141 to get started. We can evaluate your organization to assess if you are following CMMC 2.0 requirements and conduct a Readiness Assessment, as needed, to help you attain your desired maturity level. Take an active step in strengthening your security regulations to protect controlled unclassified information and avoid threats from cyber-attacks.