Effective November 30, 2020, all contractors working with the Department of Defense (DoD) are required to have Cybersecurity Maturity Model Certification (CMMC). Developed by the DoD, the CMMC is the unifying standard for implementing cybersecurity across the Defense Industrial Base (DIB). The purpose of the CMMC is to protect intellectual property and keep U.S. secrets secure.
All companies that interact with or manufacture products for the DoD will need to comply with the CMMC standards. All new proposal requests now require CMMC certifications. By 2025, all contractors interacting with the DoD. Will be required to show proof of CMMC certification.
There are five levels of certification in the CMMC. Each level introduces new security practice requirements necessary for certification.
Basic Cyber Hygiene – CMMC Level 1
CMMC Level 1 is an introduction to best practices and processes for basic cybersecurity hygiene. Cyber hygiene refers to best practices computer system administrators and users can use to improve cybersecurity in common online activities such as email, using the Internet, virtual meetings, etc.
The six basic cyber hygiene practices include:
- Access Control
- Identification and Authentication
- Media Protection
- Physical Protection
- System and Communication Protection
- System and Information Integrity
Basic cyber hygiene practices correspond to the basic safeguard requirements specified in 48 CFR § 52.204-21. Safeguarding is required for any system that processes, stores, or transmits federal contract information.
Intermediate Cyber Hygiene – CMMC Level 2
Level 2 adds security requirements that are specified in NIST SP 800-171, which is currently in its second revision. NIST SP 800-171 is used to protect controlled, unclassified information, which is typically stored in non-federal systems and organizations.
The requirements introduced in Level 2 establish documented practices and policies to help guide the implementation of CMMC efforts across federally contracted organizations. Specifically, the documentation and practices are established to protect controlled, unclassified information used by an organization.
Good Cyber Hygiene – CMMC Level 3
Certification of CMMC Level 3 is the best level for small and medium businesses to achieve. This is an ideal level for businesses who do not directly work with the DoD or government agencies but do conduct business with large companies that support the DoD.
Level 3 CMMC manages the processes and practices for controlled unclassified information (CUI). CUI is government created or owned information that requires the safeguarding or dissemination controls consistent with applicable laws, regulations and policies. CUI is not considered classified information, but still requires some level of protection from unauthorized access.
Level 3 introduces new processes and new required practices. NIST SP 800-171 introduces more standards in this level to help mitigate threats.
<H2> Be Proactive – CMMC Level 4
At this level, an organization is required to have a more in-depth management process for policies and practices for CUI. Effectiveness is also measured at this level.
Subcontractors who indirectly work with the DoD may be required to achieve Level 4 certification and is a minimum requirement for organizations working directly with the DoD.
The added practices and controls at this level are aimed to protect organizations and the DoD from advanced persistent threats (APT). APTs require an incident response (IR) process to help defend against these malicious attacks. The IR process is executed by a computer incident response team (CIRT) who have a wide breadth of knowledge of the organization’s networks, systems and security controls, with the goal to help defend against the APT.
Advanced and Progressive Security – CMMC Level 5
The main goal at CMMC Level 5 is to standardize and optimize an organization’s approach to security across the entire business.
Organizations with Level 5 certification can handle incidents and take corrective action to remediate a threat. The CIRT is required to have the ability and knowledge to investigate an issue, either virtually or on site, within 24-hours.
What This Means for 2022 Budgets and Planning
As FED and SLED organizations look to become CMMC-compliant or advance their way through each level of compliance, it’s a critical time to start planning current and future budgets to support this initiative. As you plan, ask yourself:
- IT Systems: Will you need to update IT systems within the next year or if any on-premise data will be migrated to the cloud?
- Developing Compliance Policies: Companies will also need to take a resource audit to determine investment into developing new compliancy policies and whether or not the current team has the applicable training to build and update policies.
- Audits and Assessments: At the very least, companies should perform a NIST 800-171 compliance self-assessment, as well as a CMMC audit to determine next steps.
- Supply Chain Incorporation: Organizations will need to build cybersecurity practices into their entire supply chain, which may require additional resources to support the information being shared.
Cisco's Security Portfolio Supports CMMC Level Requirements
Each level of the CMMC certification comes with robust cybersecurity practices and policies. Cisco Zero Trust Security for CMMC addresses all levels to help protect and ensure your organization is in compliance with these new regulations.
Cisco offers a robust security portfolio and these solutions can help you easily achieve certification levels. From authentication, to verification, all the way to overall device and system security, there is a Cisco product that will work for you.
To get started, visit the Tech Data Cisco Security page and get in touch with our cybersecurity experts.
About the Author
Drew Kaiser began his career within Information Technology 10 years ago. As a solution architect at Tech Data Drew specializes in Cisco cybersecurity products, and has technical certifications ranging from Cisco specialized to vendor agnostic certifications like CISSP. In his personal time, Drew likes to spend time tinkering with his own lab, playing board games, and attending beer festivals around Tampa and St. Pete. Drew can be reached at Andrew.Kaiser@techdata.com