In November 2021, the DoD overhauled the Cybersecurity Model Maturity Certification (CMMC) program, leaving many Defense Industrial Base (DIB) organizations wondering whether they will still need to comply. But the question of who needs CMMC certification is less important than its corollary: which Level of CMMC certification do organizations need? The kinds of sensitive data involved in a current or prospective DoD contractor’s scope of work will determine what Level they need to meet and what controls they need to implement to do so—sooner rather than later.
What CMMC Level Do I Need to Meet?
The specific CMMC level your organization needs to achieve will be spelled out in the contract you apply for and earn with the DoD. However, there are some general expectations for the kind of work—and DoD contracts—that are likely to warrant Level 1, Level 2, or Level 3 certification.
This guide will cover everything you need to know about the CMMC certification levels:
- Who needs to reach CMMC Level 1 certification, and how to do it
- Who needs to reach CMMC Level 2 certification, and how to do it
- Who needs to reach CMMC Level 3 certification, and how to do it
Maintaining certification, at the appropriate level, is critical to securing DoD contracts.
Regulatory Context and Sources
The CMMC is overseen by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). It was developed to streamline compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) across the DIB.
The CMMC is designed to provide structure for organizations to implement National Institute of Standards and Technology (NIST) frameworks—namely Special Publications (SP) 800-171 and SP 800-172. These frameworks protect specific classes of information, the types of which determine which CMMC Level is needed.
Who Needs CMMC Level 1?
The question of who needs to be CMMC certified begins with those organizations at Level 1.
The primary purpose of DFARS and SP 800-171 and 172 is protecting the kinds of information critical to the safety of the DoD and, by extension, all US citizens. The first kind of information in this category is Federal Contract Information (FCI), which is defined in Federal Acquisition Register (FAR) Clause 52.204-21. Any organization that stores, processes, or otherwise comes into contact with FCI—but not more sensitive data—will likely need to meet CMMC 2.0 Level 1.
Organizations at Level 1 are subject to annual self-assessments to achieve CMMC certification.
CMMC Requirements at Level 1
Certification at CMMC 2.0 Level 1 does not touch all 14 Domains, adapted from the NIST SP 800-171. There are 17 Practices, spread across six Domains, comprising Foundational security:
- Access Control (AC) – Four AC Practices:
- Authorize access control
- Control transactions and functions
- Control external connections
- Control public information
- Identification and Authentication (IA) – Two IA Practices:
- Identify all assets and users across systems
- Require authentication of identity for access
- Media Protection (MP) – One MP Practice:
- Sanitize media containing FCI before disposal
- Physical Protection (PE) – Four PE Practices:
- Limit physical access to data environments
- Escort visitors and monitor their activity
- Maintain audit logs regarding physical access
- Control devices used in relation to physical access
- System and Communications Protection (SC) – Two SC Practices:
- Protect boundaries to data environments
- Separate public and private networks
- System and Information Integrity (SI) – Four SI Practices:
- Identify and remediate flaws in information systems
- Protect FCI against malicious code
- Update protections as soon as possible
- Scan systems when files are added, opened, or used
These controls correspond roughly to the requirements at Level 1 for CMMC v1.02.
Who Needs CMMC Level 2?
Organizations that need Level 2 Certification for CMMC 2.0 are those that process more than just FCI. The other sensitive category of information protected by DFARS and SP 800-171 is Controlled Unclassified Information (CUI).
CUI is a wide-ranging category comprising many kinds of technical and defense-related information, such as repair manuals for weapons or machinery, which is sensitive but not officially classified. The security safeguards for CUI are defined in DFARS Clause 252.204-7012, informing the protections across NIST SP 800-171.
Organizations at Level 2 are subject to triennial third-party assessments for certification; a select subset of organizations at Level 2 may be eligible for annual self-assessments, like at Level 1.
CMMC Requirements at Level 2
Certification at CMMC 2.0 Level 2 requires full implementation of the NIST SP 800-171 framework, including all 110 Practices spread across all 14 Domains, for Advanced security:
- Access Control (AC) – 18 additional AC Practices:
- Control flow of CUI
- Separate duties
- Implement the least privilege principle
- Control non-privileged account use
- Control privileged functions
- Limit unsuccessful login attempts
- Provide privacy and security notices
- Lock sessions after inactivity
- Terminate sessions after inactivity
- Control remote access
- Make remote access confidential
- Control remote access routing
- Control remote access privileges
- Authorize wireless access points
- Protect wireless access points
- Control mobile access points
- Encrypt CUI accessed on mobile devices
- Limit portable storage use
- Awareness and Training (AT) – Three AT Practices:
- Implement role-based risk awareness
- Implement role-based training
- Implement insider threat awareness
- Audit and Accountability (AU) – Nine AU Practices:
- Audit systems regularly
- Ensure user accountability
- Perform event reviews regularly
- Alert stakeholders of failed audits
- Correlate audit results and analysis
- Provide audit record reduction and reporting
- Synchronize audits to an authoritative time source
- Protect all audit logs and related information
- Limit audit management to select privileged users
- Configuration Management (CM) – Nine CM Practices:
- Establish and maintain system baselines
- Enforce configuration settings across systems
- Manage changes to security configurations
- Analyze the impact of changes to configurations
- Restrict access to information about configurations
- Implement the least functionality principle
- Restrict all nonessential functionalities
- Apply a deny-by-exception policy across applications
- Monitor and control all user-installed software
- Identification and Authentication (IA) – Nine additional IA Practices:
- Implement multi-factor authentication (MFA)
- Implement replay-resistant authentication
- Prevent the re-use of identifiers
- Disable inactive identifiers
- Enforce minimum password complexity
- Prohibit the re-use of passwords
- Enable temporary passwords with immediate changes
- Encrypt passwords for storage and transmission
- Obscure feedback about authentication information
- Incident Response (IR) – Three IR Practices:
- Implement incident handling protocols
- Implement incident reporting protocols
- Implement incident response testing
- Maintenance (MA) – Six MA Practices:
- Perform regular maintenance
- Control systems used for maintenance
- Sanitize equipment prior to off-site maintenance
- Inspect media used for maintenance
- Require MFA for nonlocal maintenance
- Supervise maintenance personnel
- Media Protection (MP) – Eight additional MP Practices:
- Protect media containing CUI
- Limit access to media containing CUI
- Mark media containing CUI appropriately
- Maintain accountability for media containing CUI
- Encrypt media containing CUI during transport
- Control the use of portable media containing CUI
- Prohibit portable storage media with no clear owner
- Protect backups of CUI at storage locations
- Personnel Security (PS) – Two PS Practices:
- Screen individuals before granting access to CUI
- Secure CUI across personnel actions (terminations, etc.)
- Physical Protection (PE) – Two additional PE Practices:
- Monitor and protect facilities
- Monitor and protect alternate work sites
- Risk Assessment (RA) – Three RA Practices:
- Assess risks periodically
- Conduct vulnerability scans
- Remediate identified vulnerabilities
- Security Assessment (CA) – Four CA Practices:
- Assess security controls periodically
- Develop and implement action plans
- Monitor controls for ongoing efficacy
- Develop and implement system security plans
- System and Communications Protection (SC) – 14 additional SC Practices:
- Engineer network security safeguards
- Separate user and management functionality
- Prevent unauthorized or unintended resource sharing
- Implement deny all, permit by exception controls
- Implement split tunneling controls
- Terminate connections after inactivity
- Establish and manage cryptographic keys
- Ensure confidentiality of CUI by encryption
- Prohibit remote activation for collaboration
- Monitor and control the use of mobile code
- Monitor and control the use of Voice over Internet Protocol (VoIP)
- Authenticate all communication sessions
- Ensure confidentiality for CUI at rest
- System and Information Integrity (SI) – Three additional SI Practices:
- Monitor and respond to security alerts
- Monitor and respond to communications attacks
- Identify and address unauthorized access and use
These controls correspond roughly to the requirements at Level 3 for CMMC v1.02.
Who Needs CMMC Level 3?
At present, it is not completely clear who needs to comply with CMMC up to Level 3. Level 3’s infrastructure is intended to maximize protection for CUI, building upon the foundation that full NIST SP 800-171 establishes. Therefore, organizations with the largest repositories of CUI, or who depend most closely on CUI for daily functioning, are most likely to require Level 3.
One way to project whether your organization needs to reach Level 3 certification is to compare new contracts against older ones that assume the CMMC 1.02 framework as a basis. Level 3 in CMMC 2.0 is the equivalent of Level 5 in CMMC 1.02. If you needed Level 5 before, you likely need Level 3 now—and you’ll need to seek out triennial, government-led assessments to certify.
CMMC Requirements at Level 3
Certification at CMMC 2.0 Level 3 will require implementing controls from SP 800-172, which follow the same Domains as SP 800-171. The extent of these controls, which will comprise Expert security, are as-yet unknown. As the OUSD(A&S) develops the CMMC model further, more information should soon become available about what Level 3 certification will require.
What is known, at present, is that the controls for this Level will correspond roughly to the requirements at Level 5 for CMMC v1.02. Organizations should plan accordingly.
How RSI Security Can Help
For any current or prospective DoD contractor who needs CMMC certification, at any level, choosing a CMMC partner is one of the most critical steps on the path to full implementation.
We are prepared to facilitate every step of the implementation and certification process for organizations at every CMMC level. Our experts will help you understand the NIST SP 800-171 and 172 requirements, install controls to meet them, and gather evidence to facilitate annual or triennial assessments.
Contact RSI Security today to rethink your cyberdefense and streamline CMMC certification!