The Cybersecurity Maturity Model Certification (CMMC) is an information technology standard created by the U.S. Department of Defense for the defense industrial base (DIB) – a worldwide industry sector that facilitates the research, production, distribution and maintenance of U.S. military weapons and systems. The goal of CMMC is to protect controlled unclassified information (CUI) as handled by contractors within DIB. These contractors come from many industries, including but not limited to defense, finance, law enforcement, aerospace, exports, legal, immigration and infrastructure. The only exception to CMMC certification requirements is companies that solely produce commercial-off-the-shelf (COTS) products.
CMMC Certification Levels
The CMMC includes five certification levels that categorize the ability to secure sensitive information. Each level uses NIST 800-171 guidelines as well as additional guidelines and practices recognized by the DoD. Each higher level incorporates the security standards of the level below it:
- Level 1: Basic Cyber Hygiene – Foundational security with basic safeguarding measures following 17 guidelines. Intended for the protection of federal contact information. Organizations document procedures as needed.
- Level 2: Intermediate Cyber Hygiene – Intermediate security practices using 55 additional guidelines that also serve as a transitional stage to protecting CUI. Organizations must document all security policies and procedures (including Level 1 practices).
- Level 3: Good Cyber Hygiene – Intended for the protection of CUI using an additional 58 guidelines. Organizations must actively maintain their established security policies and procedures.
- Level 4: Proactive – Enhanced security that protects CUI from advanced persistent threats (APT) and long-term attacks using an additional 26 guidelines. Organizations must measure their practices for effectiveness.
- Level 5: Advanced / Progressive – More advanced practices against APTs using an additional 15 guidelines. Organizations must optimize security processes throughout their entire operation.
Becoming CMMC Certified
Contractors desiring CMMC compliance must be audited by a certified CMMC Third-Party Assessor Organization (C3PAO). The auditor will search for any security weaknesses, and contractors have 90 days to resolve them. Certification is valid for three years.
The CMMC was introduced January 2020, and registration for C3PAOs began in June. Full implementation of CMMC is expected to undergo a phased rollout from 2021 to 2026, at which point all contractors conducting business with the Department of Defense will be required to have CMMC certification.
Sealevel & Cybersecurity
Sealevel is in the process of evaluating cybersecurity practices and updating policies to comply with CMMC.