The Tradeoffs of CMMC Levels
It comes as a surprise to a lot of people that you can fly a real airplane with nothing more than a driver’s license.
It’s true: Since 2004, the FAA has allowed anyone with a driver’s license to fly a special class of aircraft known as “light sport”—making flying accessible to anyone willing to limit their adventure to smaller, lower-powered aircrafts carrying no more than two people.
Achieving CMMC certification is nothing like flying an airplane, but it does compare when it comes to deciding how much work you want to put into something and what goals you’re trying to achieve.
In other words, if you just want to take short recreational flights in a special kind of small airplane, during the daytime, below certain altitudes, outside of certain airspaces, why go to the trouble and expense of getting a private pilot’s license? If you never plan to get paid for flying, why get a commercial license?
The important point is that your goal for CMMC maturity level certification needs to match up to the types of projects you plan to take on with the DoD, because earning higher levels of certification is an investment that you’ll want to make sure pays off. Let’s call it “ROC” or “return on certification,” for short.
Similarly, each level of maturity requires different types of assessments, again depending on your goals and the kinds of information you’ll be handling. As we mentioned, there are three levels to this new version of CMMC—which we’ll dig into shortly—and they come with different requirements for assessments. The DoD describes the assessments as follows:
- Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.
- Contractors managing information critical to national security will be required to undergo CMMC Level 2 third-party assessments.
- The highest priority, most critical defense programs (Level 3) will require government-led assessments.
Before assuming you’ll need to reach Level 3 and apply for a government-led assessment in order to be compliant with CMMC, take the time to understand what types of information you’re handling and why. If it’s necessary for your organization to communicate with critical information, you may need to apply for a third-party or government-led assessment and strive for Level 2 or 3 maturity. Otherwise, Level 1’s self-assessments might work fine for what you need. Don’t spend the time, energy, or money for the Level 2 or 3 requirements if you don’t have to.