Cybersecurity Maturity Model Certification (CMMC) is a U.S. Government-mandated certification program designed to improve supply chain security in the defense industry.
The Department of Defense will require all contractors to be certified to one of three CMMC levels by the end of 2025.
CMMC is a rigorous process and is intended to take you to a higher level of cybersecurity preparedness. CMMC establishes a measurable set of standards and practices for safeguarding both Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), and is designed to protect both data and systems from cyber-attack. In order to preserve U.S. national security, the federal government is requiring organizations working with the DoD to become certified once CMMC final rule goes into force.
Three levels of CMMC certification.
Which CMMC certification level will you need? That depends on the type of work you do, the specifics of your DoD contract, and the kind of information you handle in the course of fulfilling the contract. Your level is determined by your DoD contracting officer and is clearly specified in your contract.
The CMMC certification levels are:
Level 1 – Foundational Cyber Hygiene Practice. This is a basic level of cybersecurity achieved by security-conscious organizations both within and outside of the defense industry. Level 1 certification requires compliance with 17 specific practices (security controls).
Level 2 – Advanced Cyber Hygiene Practice. This level incorporates the DoD cybersecurity requirements of NIST Special Publication 800-171 Rev2. Level 2 requires compliance with 110 total practices (including those of Level 1).
Level 3 – Expert Practice. Level 3 certification requires compliance with the standards of Level 2 (including NIST 800-171) and certain provisions of NIST Special Publication 800-172.
The Department of Defense has published CMMC 2.0 Assessment Guide, Level 1 and CMMC 2.0 Assessment Guide, Level 2 to further explain CMMC compliance requirements. An assessment guide for Level 3 has yet to be published.
Fully understanding the requirements of each level can be overwhelming for many organizations. We’re here to answer your questions. Call us today.
Monarch is the Northeast’s only Certified Third Party Assessment Organization (C3PAO)
All Content © 2024 Monarch ISC