In November 2021, the DoD revised the Cybersecurity Model Maturity Certification (CMMC) program, leading many in the Defense Industrial Base (DIB) to question their compliance needs. The critical issue now is not whether certification is required, but which CMMC level your organization needs to meet. The nature of the sensitive data you manage will determine the appropriate level and the specific controls you must implement, so addressing this promptly is essential.
What CMMC Level Do I Need to Meet?
Your specific CMMC level requirements will be detailed in the DoD contract you pursue. Generally, different types of work and contracts will necessitate Level 1, Level 2, or Level 3 certification. This guide provides a comprehensive overview of each CMMC level, including who needs which level and how to achieve it. Maintaining the appropriate certification level is crucial for securing and retaining DoD contracts.
Regulatory Context and Sources
The CMMC is managed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) and aims to simplify compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) for the Defense Industrial Base (DIB). It provides a structured approach for organizations to implement National Institute of Standards and Technology (NIST) frameworks, specifically Special Publications (SP) 800-171 and SP 800-172. These frameworks safeguard various types of sensitive information, which in turn determines the necessary CMMC level.
Who Needs CMMC Level 1?
The question of CMMC certification starts with Level 1 organizations. DFARS and SP 800-171 and 172 focus on protecting information crucial to DoD safety and, by extension, national security. Specifically, Federal Contract Information (FCI), as defined in FAR Clause 52.204-21, falls under this category. Thus, organizations that store, process, or otherwise come into contact with FCI, but not more sensitive data, will generally need to achieve CMMC 2.0 Level 1. These organizations are required to complete annual self-assessments to maintain their certification.
CMMC Requirements at Level 1
Achieving CMMC 2.0 Level 1 certification doesn’t require covering all 14 Domains from NIST SP 800-171. Instead, it focuses on 17 Practices across six Domains, addressing Foundational security needs:
- Access Control (AC) – Four AC Practices:
-
- Authorize access control
- Control transactions and functions
- Control external connections
- Control public information
- Identification and Authentication (IA) – Two IA Practices:
-
- Identify all assets and users across systems
- Require authentication of identity for access
- Media Protection (MP) – One MP Practice:
-
- Sanitize media containing FCI before disposal
- Physical Protection (PE) – Four PE Practices:
-
- Limit physical access to data environments
- Escort visitors and monitor their activity
- Maintain audit logs regarding physical access
- Control devices used in relation to physical access
- System and Communications Protection (SC) – Two SC Practices:
-
- Protect boundaries to data environments
- Separate public and private networks
- System and Information Integrity (SI) – Four SI Practices:
-
- Identify and remediate flaws in information systems
- Protect FCI against malicious code
- Update protections as soon as possible
- Scan systems when files are added, opened, or used
These controls correspond roughly to the requirements at Level 1 for CMMC v1.02.
Who Needs CMMC Level 2?
Organizations requiring CMMC 2.0 Level 2 Certification handle more than just FCI. They deal with Controlled Unclassified Information (CUI), which includes a range of technical and defense-related data—such as repair manuals for weapons or machinery—that is sensitive but not classified. Security measures for CUI are outlined in DFARS Clause 252.204-7012, informing the protections across NIST SP 800-171. Level 2 organizations undergo third-party assessments every three years, though some may qualify for annual self-assessments similar to Level 1.
CMMC Requirements at Level 2
To achieve CMMC 2.0 Level 2 certification, you need to fully implement the NIST SP 800-171 framework, which includes all 110 Practices across the 14 Domains. This ensures a robust level of Advanced security:
- Access Control (AC) – 18 additional AC Practices:
-
- Control flow of CUI
- Separate duties
- Implement the least privilege principle
- Control non-privileged account use
- Control privileged functions
- Limit unsuccessful login attempts
- Provide privacy and security notices
- Lock sessions after inactivity
- Terminate sessions after inactivity
- Control remote access
- Make remote access confidential
- Control remote access routing
- Control remote access privileges
- Authorize wireless access points
- Protect wireless access points
- Control mobile access points
- Encrypt CUI accessed on mobile devices
- Limit portable storage use
- Awareness and Training (AT) – Three AT Practices:
-
- Implement role-based risk awareness
- Implement role-based training
- Implement insider threat awareness
- Audit and Accountability (AU) – Nine AU Practices:
-
- Audit systems regularly
- Ensure user accountability
- Perform event reviews regularly
- Alert stakeholders of failed audits
- Correlate audit results and analysis
- Provide audit record reduction and reporting
- Synchronize audits to an authoritative time source
- Protect all audit logs and related information
- Limit audit management to select privileged users
- Configuration Management (CM) – Nine CM Practices:
-
- Establish and maintain system baselines
- Enforce configuration settings across systems
- Manage changes to security configurations
- Analyze the impact of changes to configurations
- Restrict access to information about configurations
- Implement the least functionality principle
- Restrict all nonessential functionalities
- Apply a deny-by-exception policy across applications
- Monitor and control all user-installed software
- Identification and Authentication (IA) – Nine additional IA Practices:
-
- Implement multi-factor authentication (MFA)
- Implement replay-resistant authentication
- Prevent the re-use of identifiers
- Disable inactive identifiers
- Enforce minimum password complexity
- Prohibit the re-use of passwords
- Enable temporary passwords with immediate changes
- Encrypt passwords for storage and transmission
- Obscure feedback about authentication information
- Incident Response (IR) – Three IR Practices:
-
- Implement incident handling protocols
- Implement incident reporting protocols
- Implement incident response testing
- Maintenance (MA) – Six MA Practices:
-
- Perform regular maintenance
- Control systems used for maintenance
- Sanitize equipment prior to off-site maintenance
- Inspect media used for maintenance
- Require MFA for nonlocal maintenance
- Supervise maintenance personnel
- Media Protection (MP) – Eight additional MP Practices:
-
- Protect media containing CUI
- Limit access to media containing CUI
- Mark media containing CUI appropriately
- Maintain accountability for media containing CUI
- Encrypt media containing CUI during transport
- Control the use of portable media containing CUI
- Prohibit portable storage media with no clear owner
- Protect backups of CUI at storage locations
- Personnel Security (PS) – Two PS Practices:
-
- Screen individuals before granting access to CUI
- Secure CUI across personnel actions (terminations, etc.)
- Physical Protection (PE) – Two additional PE Practices:
-
- Monitor and protect facilities
- Monitor and protect alternate work sites
- Risk Assessment (RA) – Three RA Practices:
-
- Assess risks periodically
- Conduct vulnerability scans
- Remediate identified vulnerabilities
- Security Assessment (CA) – Four CA Practices:
-
- Assess security controls periodically
- Develop and implement action plans
- Monitor controls for ongoing efficacy
- Develop and implement system security plans
- System and Communications Protection (SC) – 14 additional SC Practices:
-
- Engineer network security safeguards
- Separate user and management functionality
- Prevent unauthorized or unintended resource sharing
- Implement deny all, permit by exception controls
- Implement split tunneling controls
- Terminate connections after inactivity
- Establish and manage cryptographic keys
- Ensure confidentiality of CUI by encryption
- Prohibit remote activation for collaboration
- Monitor and control the use of mobile code
- Monitor and control the use of Voice over Internet Protocol (VoIP)
- Authenticate all communication sessions
- Ensure confidentiality for CUI at rest
- System and Information Integrity (SI) – Three additional SI Practices:
-
- Monitor and respond to security alerts
- Monitor and respond to communications attacks
- Identify and address unauthorized access and use
These controls correspond roughly to the requirements at Level 3 for CMMC v1.02.
Who Needs CMMC Level 3?
Currently, it’s not entirely clear who needs to comply with CMMC Level 3. Level 3 is designed to provide maximum protection for CUI, building on the robust framework of NIST SP 800-171. Typically, organizations with the largest or most critical CUI repositories are the ones that will need Level 3 certification. To determine if your organization requires Level 3, compare your new contracts to older ones that followed the CMMC 1.02 framework—Level 3 in CMMC 2.0 corresponds to Level 5 in CMMC 1.02. If you previously needed Level 5, you’ll likely need Level 3 now and will require triennial government-led assessments for certification.
CMMC Requirements at Level 3
Achieving CMMC 2.0 Level 3 certification will involve implementing controls from SP 800-172, which align with the same Domains as SP 800-171. The specifics of these Expert security controls are still being finalized. As the OUSD(A&S) continues to refine the CMMC model, more details on Level 3 requirements will become available. For now, it’s understood that Level 3 will generally match the requirements of Level 5 under the previous CMMC v1.02, so organizations should plan accordingly.
How RSI Security Can Help
For any current or future DoD contractor seeking CMMC certification, selecting the right CMMC partner is a crucial step toward successful implementation. RSI Security, recognized by the Cyber AB as a CMMC Third-Party Assessor Organization (C3PAO), is ready to support you throughout the entire certification process. Our experts will guide you through understanding and applying NIST SP 800-171 and 172 requirements, implementing necessary controls, and preparing for both annual and triennial assessments.
Contact RSI Security today to rethink your cyberdefense and streamline CMMC certification!
Learn how RSI Security can help your organization. Request a Free Consultation