Compliance

CMMC Levels at a Glance: Which Controls Apply to You?

Posted on by Dan Lauritzen
Young woman hands paperwork over to a panel of two other people
30
Sep

If your business works with the U.S. Department of Defense (DoD), you’re likely familiar with the Cybersecurity Maturity Model Certification (CMMC). This framework is designed to protect sensitive government information, but its different levels can be confusing. Which one applies to your organization?

This article will simplify the CMMC levels and clarify which requirements apply to your business.

Understanding CMMC

The primary goal of CMMC is to safeguard two types of sensitive government data: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 was introduced to streamline the compliance process, building upon the foundation of the NIST 800-171 standard.

This new version aims to make cybersecurity standards more accessible for contractors while still ensuring protection for sensitive data. Every contractor in the Defense Industrial Base (DIB) must meet one of the three CMMC levels to be eligible for DoD contracts.

CMMC Levels Overview

The CMMC 2.0 framework is broken down into three levels of increasing security requirements. Each level is designed for organizations based on the type and sensitivity of the information they handle.

Level 1 – Foundational

Level 1 is for organizations that only handle Federal Contract Information (FCI). FCI is information not intended for public release that is provided by or generated for the government under a contract.

  • Core Practices: This level requires basic safeguarding controls as outlined in FAR 52.204-21. These are fundamental cybersecurity hygiene practices that every business should implement.
  • Examples of Requirements: Requirements include using strong passwords, installing antivirus software, and limiting information system access to authorized users.

Level 2 – Advanced

This level is for contractors who handle Controlled Unclassified Information (CUI). CUI is sensitive information that requires safeguarding but is not classified.

  • Core Practices: Level 2 aligns with the 110 security controls of NIST SP 800-171. It represents a significant step up in cybersecurity maturity.
  • Examples of Requirements: This includes implementing multi-factor authentication (MFA), developing incident response plans, and encrypting CUI on mobile devices.

Level 3 – Expert

Level 3 is reserved for contractors working with the most sensitive CUI on the highest-risk DoD programs.

  • Core Practices: The requirements for this level are based on a subset of controls from NIST SP 800-172, which focuses on enhanced security against advanced persistent threats (APTs).
  • Examples of Requirements: This involves proactive threat hunting, robust security monitoring, and implementing advanced, in-depth cyber defenses to protect critical data.

Which Level Applies to You?

To determine your required CMMC level, you first need to identify the type of information your organization handles. Do you work exclusively with FCI, or do your contracts involve CUI? Your contract requirements will explicitly state the necessary CMMC level for that specific project.

Misclassifying your data or failing to comply with the correct level carries significant risks. Non-compliance can lead to the loss of existing contracts and make you ineligible for future DoD work. It’s crucial to get this right.

Steps to Prepare for CMMC

Getting ready for a CMMC assessment involves a systematic approach. Here are the key steps to take:

  1. Conduct a Gap Analysis: Assess your current cybersecurity practices against the requirements of the CMMC level that applies to you.
  2. Document Policies and Procedures: Create and maintain clear documentation for your security policies, controls, and incident response plans.
  3. Partner with Experts: Consider working with a Managed Service Provider (MSP) like Simple Systems to guide you through assessment and remediation.
  4. Continuously Monitor: CMMC is not a one-time check. You must continuously monitor your systems to maintain compliance and stay prepared for future audits.

Simplify Your CMMC Compliance Journey With Simply Systems

Navigating the complexities of CMMC can feel overwhelming, but you don’t have to do it alone. Simple Systems provides expert IT services to help Utah businesses understand and achieve their required level. We’ll work with you to ensure your technology is secure, compliant, and ready for any challenge.Let us handle the complexities of CMMC so you can focus on running your business.

Contact us today to learn how!

Dan Lauritzen

Dan is the Founder and CEO of Simple Systems, an IT support company based in Salt Lake City, Utah providing Managed IT Services for a host of clients with all the services of a full-time IT staff without the expense. Our primary goal is to provide the same service to our clients that we expect from others. Our work gets done quickly – we tend to delight and surprise our clients by finishing before the deadline. Simple Systems (SS) first opened its doors in 2007. Over the past 9 years, we have enjoyed working closely with 100’s of small businesses and home users around the Salt Lake Valley. In 2009, SS was honored to be nominated in the Utah Student 25. We are proud of this distinction and look forward to continued growth. In 2012, we opened our retail location in Holladay, Utah to provide home PC customers a more cost effective way to have service and support.