October 26, 2022

How do you get CMMC 2.0 Compliant: What the 3 levels of CMMC means for your organization

How do you get CMMC 2.0 Compliant: What the 3 levels of CMMC means for your organization

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a new set of standards for the protection of sensitive government information in the defense industrial base (DIB) supply chain. As a company that does business with the DIB, it is important that you understand these new requirements and take steps to become compliant. In this post, we will discuss what the CMMC 2.0 is and what you need to do to ensure that your company is compliant. By implementing the necessary security measures and undergoing the certification process, you can protect your sensitive data and ensure that your business remains competitive in the DIB supply chain.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a new set of standards developed by the Department of Defense (DoD) to protect sensitive government information in the defense industrial base (DIB) supply chain. The CMMC is a five-level certification program that assesses an organization's ability to implement and maintain adequate cybersecurity practices. Each level represents a different level of cybersecurity maturity, with Level 1 being the most basic and Level 5 being the most advanced.

The CMMC is designed to protect the DIB supply chain from cyber threats by requiring companies that do business with the DoD to implement certain cybersecurity practices. The CMMC is not just a set of guidelines or best practices, but a mandatory requirement for companies that want to do business with the DoD.

The CMMC was created in response to the growing threat of cyber attacks on the DIB supply chain. The DoD recognizes that many of its contractors and subcontractors may not have the necessary cybersecurity measures in place to protect sensitive government information. By implementing the CMMC, the DoD hopes to ensure that all companies in the DIB supply chain have adequate cybersecurity practices in place.

What are the key differences between CMMC 1.0 and 2.0? 

The Cybersecurity Maturity Model Certification (CMMC) 1.0 and CMMC 2.0 are two versions of the same certification program. Both versions were developed by the Department of Defense (DoD) to protect sensitive government information in the defense industrial base (DIB) supply chain. However, there are some key differences between the two versions.

One of the main differences between CMMC 1.0 and CMMC 2.0 is the number of levels. CMMC 2.0 has three levels (Foundational, Advanced, and Expert), while CMMC 1.0 had five levels (Basic through Advanced). The simplification of levels reduced the complexity and ambiguity of getting certified at each level. 

Another key difference between the two versions is the focus on NIST Special Publication (SP) 800-171. CMMC 1.0 was not specifically aligned to NIST SP 800-171, but CMMC 2.0 builds on the principles and requirements outlined in the publication. For simplicity's sake, CMMC Level 2 is directly aligned with the controls in NIST SP 800-171.

Overall, CMMC 2.0 is a more comprehensive and rigorous certification program than CMMC 1.0. It includes less levels, and a stronger emphasis on NIST SP 800-171. Companies that are looking to do business with the DoD should ensure that they are compliant with CMMC 2.0 in order to protect their sensitive information and maintain their competitiveness in the DIB supply chain.

What is CMMC’s Relationship with NIST SP 800-171?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is closely related to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. NIST SP 800-171 is a set of guidelines for protecting controlled unclassified information (CUI) in non-federal information systems and organizations. It provides specific cybersecurity requirements for protecting CUI, including physical, technical, and administrative controls.

The CMMC 2.0 builds on the principles and requirements outlined in NIST SP 800-171, but it goes further by adding additional controls and requirements for protecting sensitive government information in the defense industrial base (DIB) supply chain. While NIST SP 800-171 is focused on protecting CUI, the CMMC 2.0 is focused on protecting controlled defense information (CDI), which is a more sensitive and specific category of information.

In order to become CMMC compliant, companies must first ensure that they are compliant with NIST SP 800-171. This means implementing the appropriate physical, technical, and administrative controls outlined in the publication. Once a company has achieved compliance with NIST SP 800-171, they can then move on to the CMMC certification process.

It is important to note that the CMMC 2.0 is not a replacement for NIST SP 800-171. Instead, it builds on the principles and requirements outlined in the publication to provide a more comprehensive set of standards for protecting sensitive government information in the DIB supply chain. By implementing the controls outlined in both NIST SP 800-171 and the CMMC 2.0, companies can ensure that their systems and networks are secure and compliant.

What are the 3 levels of CMMC?

  • Level 1 (Foundational) is the first level of the CMMC and it includes basic cyber hygiene practices that are essential for protecting any organization's information systems. These practices include things like ensuring that passwords are strong and regularly updated, using antivirus software, and regularly backing up important data. Additionally, Level 1 also includes requirements for access control, such as implementing policies for granting and revoking access to sensitive information. By following the guidelines at Level 1, organizations can take the first step towards protecting their systems and sensitive information from cyber threats.
  • Level 2 (Advanced) of the Cybersecurity Maturity Model Certification (CMMC) is the next level in the framework and it includes more advanced security practices for protecting sensitive information. In order to achieve compliance at this level, organizations must demonstrate that they have implemented a wider range of security controls, including physical security measures and technical controls such as network segmentation and data encryption. Additionally, Level 2 also includes requirements for incident response planning, training, and testing to ensure that the organization is prepared to handle a cyber attack. By following the guidelines at Level 2, organizations can significantly improve their ability to protect their systems and sensitive information from a range of cyber threats. The new Level 2 (Advanced) is aligned with NIST SP 800-171.
  • Level 3 (Expert) of the Cybersecurity Maturity Model Certification (CMMC) is the highest level in the framework and it includes the most advanced security practices for protecting sensitive information. In order to achieve compliance at this level, organizations must demonstrate that they have implemented a comprehensive set of security controls, including advanced technical controls such as continuous monitoring and intrusion detection. Additionally, Level 3 includes requirements for formalized risk management processes, as well as extensive training and awareness programs for all employees. By following the guidelines at Level 3, organizations can ensure that they have implemented robust security measures to protect their systems and sensitive information from even the most sophisticated cyber threats.

Who needs to be CMMC Compliant?

Any company that works with the U.S. Department of Defense (DoD) or handles controlled unclassified information (CUI) on behalf of the DoD will need to be CMMC compliant in order to continue doing business with the government. This includes a wide range of companies, from defense contractors and suppliers, to technology firms and professional services organizations.

In addition to these companies that directly work with the DoD, there are also many other organizations that may need to be CMMC compliant in order to comply with other regulatory requirements or industry standards. For example, companies that handle sensitive personal or financial information, such as healthcare providers or financial institutions, may be required to follow similar security practices in order to protect their customers' data. Additionally, companies that are subject to other government regulations, such as the Federal Information Security Management Act (FISMA) or the Payment Card Industry Data Security Standard (PCI DSS), may need to be CMMC compliant in order to meet those requirements.

Overall, the need for CMMC compliance depends on the specific industry and type of information that a company handles. However, any organization that works with sensitive government information or is subject to certain regulatory requirements is likely to need to be CMMC compliant in order to continue operating effectively and securely.

When will CMMC be required for DoD Contracts?

The CMMC is currently in the process of being implemented for all Defense Department contracts. According to the most recent information from the DoD, CMMC will be required for all contracts starting in September 2025. This means that all companies that wish to bid on Defense Department contracts will need to be CMMC compliant by that date in order to be eligible for the contract. The DoD has also stated that it will begin incorporating CMMC requirements into solicitations and contracts earlier, in order to give companies ample time to prepare for the new requirements.

What is the difference for Prime Contractors versus Sub-contractors?

There are some key differences in the way that CMMC compliance will be applied to prime contractors and sub-contractors.

Prime contractors are the main companies that are awarded Defense Department contracts and are responsible for delivering the goods or services specified in the contract. As such, prime contractors will need to be CMMC compliant at a higher level than sub-contractors. For example, a prime contractor may need to be compliant at Level 3 (Expert) in order to handle sensitive government information, while a sub-contractor that provides a specific component or service may only need to be compliant at Level 1 (Foundational).

Another key difference between prime contractors and sub-contractors is the way that CMMC compliance will be assessed and verified. Prime contractors will be required to undergo a formal third-party assessment in order to demonstrate their compliance with the CMMC framework. This assessment will be conducted by a certified CMMC Third Party Assessment Organization (C3PAO) and will involve a thorough review of the contractor's security practices and controls. On the other hand, sub-contractors will not be required to undergo a formal assessment and will instead be required to self-attest their compliance with the appropriate CMMC level.

Overall, the key differences between prime contractors and sub-contractors in terms of CMMC compliance are the level of compliance required and the way that compliance is assessed and verified. Prime contractors will need to be compliant at a higher level and will be subject to a formal third-party assessment, while sub-contractors will only need to self-attest their compliance at a lower level.

What is CUI?

Controlled Unclassified Information (CUI) is a term used by the U.S. government to describe sensitive information that is not classified but still requires protection. CUI data includes a wide range of information, including personally identifiable information (PII), financial data, intellectual property, and other types of sensitive information that may be subject to specific handling requirements.

CUI data is typically created or collected by the government in the course of its activities, but it may also be provided by contractors or other non-government organizations. The handling of CUI data is governed by specific regulations and policies, such as the CUI Registry and the CUI Executive Agent. These regulations and policies outline the requirements for protecting, storing, and sharing CUI data, as well as the penalties for failing to do so.

Overall, CUI data is any sensitive information that is not classified but still requires protection in order to prevent unauthorized access or disclosure. This may include a wide range of information, from personal data to intellectual property, and it is governed by specific regulations and policies to ensure its protection.

Learn About CMMC 2.0 Compliance and More With Phalanx

Phalanx MUZE supports compliance with virtually all the new CMMC Level 2 requirements related to the communication and storage of CUI. To learn more about how Phalanx can help you achieve CMMC 2.0 Level 2, contact us for a demo today. 

Get A Demo

See what Phalanx can do for your team.