About CMMC
Cyber Maturity Model Certification Audit
Government Contractors and Information Security – ‘A Look into the Future’
OVERVIEW
What is CMMC?
The CMMC model represents a unified cybersecurity standard that current and potential companies working with the DoD will have to meet to some degree. Its main goal is to ensure that there are appropriate levels of cybersecurity controls and processes in place to protect controlled unclassified information (CUI) on DoD contractor networks.
CMMC 1.0 vs. CMMC 2.0
CMMC 2.0 pared down the scope and expectations of the previous CMMC 1.0 model. The revised model is designed to minimize barriers to compliance by reducing costs, particularly for small businesses, and by clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards. This updated model is currently under public review and until it is accepted, all CMMC requirements are on hold.
A comparison of the two models is shown below:
CMMC 2.0 Levels Broken Down
Understanding CMMC 2.0 Level 1
CMMC 2.0 Level 1 will include the 17 controls of CMMC 1.0 Level 1, a limited subset of NIST 800-171 meant for basic cyber hygiene. This will apply to organizations handling ONLY Federal Contract Information (FCI). The department sees this foundational level as an opportunity to engage contractors in developing and strengthening their cybersecurity posture. CMMC 2.0 Level 1 will be achievable with a self-assessment.
Understanding CMMC 2.0 Level 2
CMMC 2.0 Level 2 includes the 110 controls of NIST 800-171. Level 2 will be split based on the criticality of the information held by the organization. For organizations deemed to hold CUI identified as Critical National Security Information a third-party assessment will be required every three years. For select organizations an annual self-assessment against these controls will be sufficient.
Understanding CMMC 2.0 Level 3
CMMC 2.0 Level 3 is still under development, but the official website lists 110+ practices based on NIST 800-172. The most important thing to know is that assessments at level 3 will be completed by the government and not C3PAOs.
A comparison of the two models is shown below.
What CMMC 2.0 Level will my company require?
For FCI handling organizations, this is greatly simplified as Level 1, removing the old transitional level that might be required for FCI.
For organizations handling CUI, the required CMMC level for contractors and sub-contractors will be specified in Requests for Information and Solicitations. No CMMC requirements will be added to contracts until the formal rule-making process is complete.
Timeline for CMMC V2.0
The DoD has specified that there will be no contractual requirements for CMMC 2.0 until formal rulemaking is complete. This process can take 9-24 months.
Benefits of CMMC 2.0
Although many contractors will be obliged to comply to the CMMC model in some capacity, the mandate is not the only reason for companies to invest in being certified to one of the three levels. There are numerous benefits to companies that undergo the certification.
How Kreative Can Help
Kreative has the best processes in place to ensure all clients abiding by the DoD’s CMMC standards successfully pass their compliance audits. Our highly trained experts and 100% success rate demonstrate our ability to help improve your company’s cybersecurity mitigation strategies.
If your company needs direction as far as becoming CMMC compliant, don’t wait! Fill out the form below to get in touch with our security experts and start your journey today.