The DoD Contractor's Guide to CMMC Level 2
Cost-Effective NIST SP 800-171 and CMMC Solutions
Contact us below for CMMC help specific to your company's needs.
The Need for the Cybersecurity Maturity Model Certification
In a recent Identity Theft Resource Center report, they estimate that the United States government and military faced over 80 data breaches in 2019. As a result, over 3.5 million sensitive records were exposed. With cyber threats posing more significant hazards for the defense supply chain than ever before, along with physical threats from rival nation states, now is the time to reinforce cybersecurity priorities across the board.
DFARS, NIST, and CMMC
While the U.S. government's initial approach to introducing fundamental security controls into the national defense supply chain called for compliance with NIST SP 800-171 through DFARS 252.204-7012, these measures weren't enough. The Cyber Security Model Certification (CMMC) was released in early 2020 to reduce unauthorized disclosure of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
Unlike the NIST SP 800-171, the CMMC does not offer the option to self-certify, as it requires a sign-off from a C3PAO, third party assessor. The CMMC certification process will begin as C3PAOs become available (est. late 2021). Failure to meet any qualifications required by a level will result in a lower level of certification and loss of DoD contract eligibility.
CMMC will replace NIST SP 800-171. As a precursor to CMMC, the DFARS Interim Rule (252.204-7019) establishes requirements for NIST SP 800-171 compliance scoring (SPRS score) and remediation beginning November 30, 2020.
Find your NIST SPRS score with our free self-assessment tool.
Understanding CUI
There are currently 20 organizational index groups and 125 categories of data that are considered controlled unclassified information. Category groupings are either specific or general, but some of the more common specific categories include:
- Tax information
- Law enforcement data
- Critical infrastructure
- Controlled technical information, including schematics
- Unclassified nuclear
- Natural and cultural resources
Many defense contractors also create, store or process general categories such as:
- Controlled technical information
- Inventions and patent applications
- Proprietary manufacturer
- General proprietary business information
- General privacy
- Health information
- General procurement and acquisition
- Small business research and technology
> Request our CMMC Level 2 Self-Assessment Tool for a complete list of CUI categories
CMMC Compliance Requirements
The CMMC framework features three levels of cyber security maturity. Organizations with access to CUI must be certified at CMMC Level 2, whereas those with access to FCI only will need to be compliant at CMMC Level 1. As defined in DFARS 252.204-7019-7021, almost all 300,000+ DoD contractors have or handle CUI and must become CMMC Level 2 certified by October 2025 to remain eligible for DoD contracts.
To prevent exclusion from contracts as CMMC is implemented, contractors must determine whether their organization is subject to CMMC requirements, assess their compliance against the requirements of the level they need, obtain a gap analysis, remediate those gaps in compliance, and be audited through a Certified Third-party Assessor Organization (C3PAO) certification assessment.
* InfoDefense is a C3PAO candidate.
Level 1
FOUNDATIONAL
17 Cybersecurity Practices
Level 2
ADVANCED
110 Cybersecurity Practices
Level 3
EXPERT
130 Cybersecurity Practices
Steps to CMMC Compliance
1. Determine Your CMMC Requirements
First off, you need to determine what level of CMMC your business requires. Organizations with access to CUI must be certified at CMMC Level 2, whereas those with access to FCI only will need to be compliant at CMMC Level 1. Well over 90% of DoD contractors require CMMC Level 2 compliance. Along with our no-cost self-assessment tool, our CMMC experts can help you determine whether your business is subject to CMMC requirements and which compliance level you require.
Level 1
FOUNDATIONAL
17 Cybersecurity Practices
Level 2
ADVANCED
+ 93 Cybersecurity Practices
17 Cybersecurity Practices
Level 3
EXPERT
+ 20 Enhanced Cybersecurity Practices
93 Cybersecurity Practices
17 Cybersecurity Practices
Basic Safeguarding of FCI
Increasing Protection of CUI
Reducing Risk of APTs
- See Level 1 Self-Assessment Guide
- Applies to companies handling Federal Contract Information (FCI)
- 17 Cybersecurity Practices
- Company must comply and perform all practices
- See Level 2 Assessment Guide
- Applies to companies handling Controlled Unclassified Information (CUI)
- 110 Cybersecurity Practices
- Must perform, document, and manage practices
- Applies to companies requiring increased protection of CUI and protection against advanced persistent threats (APTs) through increased depth and sophistication of security capabilities
- 130 Cybersecurity Practices
- Companies must perform, document, manage, review, standardize and optimize practices to determine their effectiveness
2. Get Your Gap Analysis
Now that you know which CMMC level your business requires, the next step is a CMMC Gap Analysis that determines your state of compliance for each requirement. This can be accomplished through our CMMC Level 2 Self-Assessment Tool or a CMMC Gap Analysis performed by our compliance experts. Once complete, the analysis will detail each requirement and determine if your organization is currently prepared to meet compliance for it.
3. Implement Your Remediation
Once the assessment is completed and you have your gap analysis in hand, a detailed Plan of Action and Milestones (POA&M) should be created so that solutions required to ensure certification can be implemented. Your existing IT Team(s) can accomplish this, or you can partner with InfoDefense and we will help you achieve 100% compliance through our Standalone Services or CyberSecure 360, our comprehensive security and compliance managed services program.
4. Complete a C3PAO Certification Assessment
Unlike the NIST SP 800-171, contractors must be audited through a Certified Third-party Assessor Organization (C3PAO)* certification assessment to receive CMMC certification. The CMMC certification process will begin as C3PAOs become available. It is important to note that C3PAO cyber security consultants that aid a contractor with CMMC compliance remediation cannot perform that same contractor's Certification Assessment.
Failure to meet any qualifications required by a level will result in a lower level of certification and loss of DoD contract eligibility. As such, our CMMC Pre-Audit Assessment helps ensure that you've remediated any outstanding practices or processes found in your Gap Analysis, verifying 100% compliance before the auditing process takes place.
*InfoDefense is a C3PAO candidate.
CMMC is as simple as that with InfoDefense.
Call 972-922-3100 or contact us below for more information and guidance for your compliance needs.