Why You Need to Understand Basic CMMC and CMMC Compliance Requirements

The Cybersecurity Maturity Model Certification, or CMMC, is part of the Department of Defense’s (DoD) new verification process. The CMMC was designed to ensure proper implementation of the cybersecurity processes and controls will protect the Controlled Unclassified Information (CUI), which will reside on Defense Industrial Base (DIB) networks and systems.

It is important to understand the CMMC compliance requirements so you can implement them properly. The minimum CMMC certification level requires basic cyber hygiene and that the processes are performed correctly. The 17 practice requirements are equivalent to the 15 practices in the Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 as well as the 17 practices in the NIST SP 800-171 Rev 1.

Defining CMMC Compliance

As noted, the main role of CMMC is to protect CUI across the DoD supply chain. CUI refers to any form of information or the data possessed or created by the government or any entity on behalf of the government.

  • Interpretation of the data is broad and can include financial, intelligence, legal, export control, infrastructure, and any other data information.
  • The framework of CMMC includes practices, processes, and even approaches to standardize the assessment of the vendor’s capacities under DoD.
  • The CMMC compliance requirementsare mainly broken down into processes and practices, and will solely depend on the certification level.
  • Each level of the certification includes the requirements of the levels below it. For example, Level 3 certification includes the requirements of Levels 1 and 2, as well as additional requirements for Level 3.

Certification Level Description

There are five CMMC levels:

  • Level 1 deals with basic cyber hygiene.
  • Level 2 handles intermediate cyber hygiene.
  • Level 3 discusses good cyber hygiene, for which the final 45 controls need to be implemented along with 13 new “other” controls.
  • Level 4 talks about the “proactive” cybersecurity and adding up 11 extra controls under the NIST 800-171 Rev 2.
  • Level 5, the last level, deals with “progressive or advanced” cybersecurity. Here, the DoD contractors must add the remaining controls in NIST 800-171 Rev 2.

Note that you also need to understand data security addendum services in addition to the CMMC requirements. It is a unique addendum between the government entity and the private contractor, and the government entity can be anything from a police officer to a county IT department.

Comments are closed