CMMC has become such an important part of business for any company that works with or wants to work with government contracts. Naturally, one question on many contractors’ or subcontractor’s minds is “Who Needs CMMC Certifications?”
Read on to learn more about who is required to obtain a CMMC certification, which level they need, and how CMMC is about to change forever.
The cybersecurity maturity model certification (CMMC) was developed by the Department of Defense (DoD) in 2019 to establish a set of regulations and standards contractors must meet when handling sensitive government information. This became necessary due to a high volume of attacks on government contractors who became targets of hackers who desired government data without having to break a government defense.
The goal of CMMC is to protect crucial government information, including controlled unclassified information (CUI) and federal contract information (FCI) that contractors need to complete work.
CMMC 2.0 was introduced in 2021 with the goal of streamlining and simplifying the certification regulations, making them more affordable and easier to maintain for businesses.
Here are a few of the major changes from CMMC 1.0 to 2.0:
In short, contractors and subcontractors working with or on behalf of the Department of Defense are required to have some form of CMMC certification. Which level is required of them is determined by the contract and on if the company will be handling CUI or just FCI.
Organizations that only produce commercial off-the-shelf products are not required to meet any level of CMMC regulations.
If handling FCI—information that is not public and is generated by the government—a business is required to achieve level 1. If working with CUI—unclassified but highly sensitive information—levels 2 or 3 are required depending on the contract and information.
CMMC was formerly divided into 5 separate levels, each requiring more or less cybersecurity controls to achieve. In CMMC 2.0, those levels have been condensed into 3 but many of the qualifications have been carried over and categorized into a similar tier.
Here is a look at each tier, how it compared to CMMC 1.0, and what it takes for businesses to qualify for that particular certification.
Level 1: Foundational Cybersecurity (Former CMMC 1.0 level 1)—Level 1 of CMMC 2.0 applies to companies that will only be handling FCI. There are 17 controls that cover some basic, foundational cybersecurity best practices designed to safeguard FCI and other less-sensitive information. Assessment for level 1 is done internally and must be completed every year.
Level 2: Advanced Cybersecurity (Formerly CMMC 1.0 levels 2-3)—Level 2 certification in CMMC 2.0 is required for company’s that will be working with CUI. These requirements are in complete alignment with NIST (National Institute of Standards and Technology) SP 800-171 and is made up of 110 cybersecurity practices. Assessment for level 2 is a mixture of third-party assessment and self-assessment, depending on handled information, that occurs every three years.
Level 3: Expert Cybersecurity (Formerly CMMC 1.0 levels 4-5)—The highest level of CMMC certification is focused on protecting CUI within the DoD’s high-priority programs. This level is focused on defending against persistent threats and has 110+ controls, including some from NIST SP 800-172. For level 3, a government-led assessment must occur every 3 years.
The process of getting CMMC certified depends on which level you are required to obtain. Each level, as discussed above, requires a different number of controls and practices, and has a unique assessment process to prove that the requirements are met.
For example, in level 1 of CMMC 2.0, a company must meet the standards set (the 17 cybersecurity controls) and perform a self-assessment to prove compliance and meet the requirements. For level 2, a self-assessment of third-party assessment is needed, and level 3 requires a government-led assessment to ensure all requirements are met.
The frequency of tests also depends on the level of certification. Level 1’s assessment must be completed every year, while levels 2 and 3 occur every 3 years.
For businesses who wish to work with the DoD on government contracts, some level of CMMC will most likely be required depending on the sensitivity of given government information. Whether or not you plan on working with government contracts, it’s a good idea for businesses to use these CMMC guidelines as a foundation for establishing some cybersecurity best practices on their own to defend against potential attacks.
For a complete look at the CMMC requirements, check out our CMMC Requirements Overview eBook.