Achieving the CMMC is a framework that grades a company's cybersecurity on a scale of one (least secure) to five (most stringent).
What businesses (contractors) will be asked to do is comply with a tiered rating system depending on the systems they will be working with the Department of Defense (DOD).
For example, if you are working on janitorial services, you may only need to comply with Level 1 of CMMC, as opposed to a Level 3 which is equivalent to NIST 800-171 regulations, or a Level 4 that is reserved for exquisite systems.
Complying with CMMC is not Optional
Does my business really need to comply with CMMC if I don't deliver services directly to the DoD?
Yes, in fact, every prime and subcontractor on a supply chain will be audited and certified under a CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). This will benefit the security of contractors and the DIB, as well as help the DoD to avoid losses due to cyber breaches.
The Maturity Levels of NIST 800-171/CMMC Compliance:
The CMMC will require third-party audits and certification for the DOD supply chain. This requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171. Implementing cybersecurity in DOD supply chains is based on the identification of five certification tiers.
Five Certification Tiers:
- CMMC Level 1 | Basic Cyber Hygiene | 17 security controls (NIST SP 800-171 rev 1)
- CMMC Level 2 | Intermediate Cyber Hygiene | 46 security controls (NIST SP 800-171 rev 1)
- CMMC Level 3 | Good Cyber Hygiene | 47 security controls (NIST SP 800-171 rev 1)
- CMMC Level 4 | Proactive | 26 security controls (NIST SP 800-171B)
- CMMC Level 5 | Advanced/Progressive | 4 security controls (NIST SP 800-171B)