Understanding and Leveling Up Your CMMC Maturity
CMMC Knowledge Hub
Three progressive levels are the key to this emerging U.S. Department of Defense (DoD) certification.
As we discuss in our article about your roadmap to CMMC Maturity Model Certification, getting CMMC compliance is important to anyone who plans to do business with the U.S. Department of Defense (DoD). CMMC, or the Cybersecurity Maturity Model Certification, is a program designed by the U.S. Department of Defense to protect sensitive information shared between the Department, its vendors, and DoD vendor third parties.
Although not currently required for all contracts, the Department of Defense is completing rulemaking to finalize the program, which could take anywhere from 9-24 months. And any organization that’s part of the “defense industrial base” that works with the DoD needs a plan to get this credential.
Its name makes CMMC sound like one certification, and technically, it is. But one of the other key words in the credential’s name, “maturity,” means organizations can earn certification at any of the three levels. Becoming familiar with these cumulative, progressive levels of maturity—and how you achieve each one—is an important part of planning for the certification.
It’s important to note that the CMMC certification was originally a five-step process. However, over time, organizations were experiencing tremendous difficulties going through the five levels of maturity, so the Department of Defense wanted to remedy that by creating a more simplified and streamlined process. Since 2021, CMMC 2.0 has been introduced and now only requires three levels of maturity to reach the highest level of certification.
For the next few minutes, we’re going to focus on several key aspects of the CMMC 2.0 program.
Here’s what you’re in for:
What is CMMC 2.0?
With the goal of simplifying the certification process, the U.S. Department of Defense sought out a new process that would make receiving the highest level of certification more realistic and reachable for organizations looking to work with the Federal Government.
The CMMC 2.0 program now includes a tiered model, different requirements for assessments, and levels of implementation for DoD contractors. We touch on each of these in our Knowledge Hub series articles:
There are quite a few changes that took place, most notably:
- A focus on critical requirements
- Alignment with other widely used standards including National Institute of Standards and Technology (NIST) cybersecurity standards
- Lower costs
- Increased accountability, collaboration, flexibility, and speed in the certification process
But the biggest change between the two programs is the assessments. In the original certification, in order to achieve compliance, you needed a third-party assessment to determine your level of maturity. Alternatively, now, at the lowest level of maturity, Level 1, you can complete a self-assessment to prove you’ve met the requirements at that level and become certified. If, however, you’re interested in becoming Level 2 or Level 3 certified, this is when you’ll still need a third-party—or even government-led—assessment.
Below, we share more information about each level’s requirements.
The Tradeoffs of CMMC Levels
It comes as a surprise to a lot of people that you can fly a real airplane with nothing more than a driver’s license.
It’s true: Since 2004, the FAA has allowed anyone with a driver’s license to fly a special class of aircraft known as “light sport”—making flying accessible to anyone willing to limit their adventure to smaller, lower-powered aircrafts carrying no more than two people.
Achieving CMMC certification is nothing like flying an airplane, but it does compare when it comes to deciding how much work you want to put into something and what goals you’re trying to achieve.
In other words, if you just want to take short recreational flights in a special kind of small airplane, during the daytime, below certain altitudes, outside of certain airspaces, why go to the trouble and expense of getting a private pilot’s license? If you never plan to get paid for flying, why get a commercial license?
The important point is that your goal for CMMC maturity level certification needs to match up to the types of projects you plan to take on with the DoD, because earning higher levels of certification is an investment that you’ll want to make sure pays off. Let’s call it “ROC” or “return on certification,” for short.
Similarly, each level of maturity requires different types of assessments, again depending on your goals and the kinds of information you’ll be handling. As we mentioned, there are three levels to this new version of CMMC—which we’ll dig into shortly—and they come with different requirements for assessments. The DoD describes the assessments as follows:
- Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.
- Contractors managing information critical to national security will be required to undergo CMMC Level 2 third-party assessments.
- The highest priority, most critical defense programs (Level 3) will require government-led assessments.
Before assuming you’ll need to reach Level 3 and apply for a government-led assessment in order to be compliant with CMMC, take the time to understand what types of information you’re handling and why. If it’s necessary for your organization to communicate with critical information, you may need to apply for a third-party or government-led assessment and strive for Level 2 or 3 maturity. Otherwise, Level 1’s self-assessments might work fine for what you need. Don’t spend the time, energy, or money for the Level 2 or 3 requirements if you don’t have to.
Climbing the CMMC Staircase
Let’s review the three levels of CMMC maturity. Click on any linked phrase below to see a pop-down explanation. Or read on and come back later to dig a little deeper.
Level 1 focuses on physical protection requirements and access controls. Here, organizations meet this level of maturity if they’re not using information deemed critical to national security. Level 1 means you can protect federal contract information (FCI), which is information not intended for public release. Certain higher levels allow you to protect CUI, or controlled unclassified information, and that can open up new opportunities for your company.
The Department of Defense allows organizations to perform self-assessments if they’re looking for a quick and easy way to receive CMMC Level 1 certification. This assessment must be completed annually to confirm certification.
At Level 2, organizations are likely using critical information, which is why process documentation gets serious. That includes written documentation on who’s responsible for what, how you’ll pay for it, and what tools you’ll use to execute the practices.
At Level 2, the Department of Defense requires a “triennial third-party assessment for critical national security information” and a “triennial self-assessment for select programs.” In other words, organizations will need to meet requirements to prove they can protect CUI properly. And these requirements are aligned with NIST SP 800-171.
However, it is possible to become Level 2 compliant with just a self-assessment, but only if the organization is not using critical information.
As an expert, you’re required to have “triennial government-led assessments” in order to prove you’ve met the necessary requirements. These requirements are currently being evaluated and more information will be released upon completion, but the DoD has stated that they will be based on NIST SP 800-171 and 800-172.
So far, you’ve been proactively prepared for advanced persistent threats (APTs), and now standardizing and optimizing processes across your organization is the goal. That means establishing consistency specified by CMMC and standardizing processes so they can improve as you perform them.
This highly sophisticated level of cybersecurity designates your organization as one that can rigorously repel APTs and protect CUI. We can’t get into all the details right here, but be prepared to field an around-the-clock incident response team and respond to random tests when you least expect them.
Downstream CMMC Compliance
In a world of joint ventures, subcontracting, and ad-hoc, collaborative projects, the Department of Defense is interested in more than your firm’s cybersecurity preparedness: They want to make sure that your suppliers don’t present a security risk.
So, while it’s critical that your organization achieves a CMMC level appropriate to the projects you plan to bid on and information you’re using, you’ll also have to make sure any other organization you work with that handles the same type of critical information meets the same requirements and achieves the same level of maturity. The DoD specifically states that
“If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.”
Hard Realities of CMMC Compliance Tracking
We’re not gonna kid you: You’ve got a lot of work to do.
By Level 3, this structure of CMMC elements, and the list of things you need to accomplish, gets torturously long—a measure of how seriously the DoD takes cybersecurity and the importance of proving its suppliers can deliver the security they say they can.
Anticipating the complete switch to CMMC compliance requirement in DoD contracting by 2024, many firms in the defense industrial base have already started preparing their plan of attack for CMMC certification.
Some companies are trying to do it all with spreadsheets and word processors, while others have turned to specialized software that we’ll explore in a future article.