What CMMC Level Do I Need to Attain?

By this point, most, if not all, DoD contractors are aware they must comply with CMMC if they want to continue holding government contracts. But knowing which level your specific company requires can sometimes feel like a mystery.

Non-compliance with the standard can result in the loss of government contracts and legal and financial consequences. Therefore, it is essential to understand what CMMC level your company needs to achieve and take the necessary steps now to plan for and achieve this compliance.

What is the Difference Between CMMC levels?

Per CMMC 2.0, the CMMC standard has three levels representing different requirements for cybersecurity maturity. The higher the level, the more advanced and comprehensive cybersecurity measures must be in place.

The levels are as follows:

• Level 1: Foundational

CMMC Level 1 consists of 17 controls and is based on FAR 52.204-21. These controls protect covered contractor information systems and limit access to only authorized users. The 54 page assessment guide is only applicable to companies that focus on protecting Federal Contract Information (FCI).

• Level 2: Advanced

CMMC Level 2 consists of 110 controls (inclusive of Level 1), 320 assessment objectives, and a 270-page assessment guide that applies to companies working with Controlled Unclassified Information (CUI). It is based on DFARS 252.204.7012. This level in CMMC is now completely aligned with the 110 controls of NIST SP 800-171.

• Level 3: Expert

CMMC Level 3 focuses on reducing risk from Advanced Persistent Threats (APTs) and is designed for companies working with CUI on the DoD’s highest priority programs. Specific security requirements are still being determined by the DoD, but will most likely be based on the 110 controls of NIST SP 800-171 in addition to a subset of NIST SP 800-172 controls.

What Level of CMMC Do I Need for My Company?

The level of CMMC your company needs to achieve will depend on your scope, or the type of information your company handles and the type of government contracts you support.

The following questions will help you determine what level of CMMC you need:

• Does your company only handle Federal Contract Information (FCI)?

If your company handles FCI, you must achieve at least CMMC Level 1.

• Does your company handle CUI?

If your company handles CUI, you must achieve at least CMMC Level 2 and…you are already subject to meeting the requirements of NIST 800-171.

• Does your company handle CUI related to national security systems or critical infrastructure?

If your company handles CUI related to national security systems or critical infrastructure, you will need to achieve CMMC Level 3.

What steps can I take to achieve CMMC compliance?

To achieve CMMC compliance, you will need to take several steps, including:

• Assess your current cybersecurity measures: Before achieving CMMC compliance, you need to assess your current cybersecurity measures to identify any gaps in your security and determine what steps you need to take to achieve compliance.
• Develop a plan: Based on your assessment, develop a plan for achieving CMMC compliance. This plan should include a timeline, a budget, and a list of actions to take.
• Implement cybersecurity measures: Once you have a plan, start implementing the cybersecurity measures you need to achieve compliance. This may include installing new software, implementing new policies and procedures, and providing employee training.
• Continuously monitor and improve: CMMC compliance is not a one-time process. To remain compliant, you must continuously monitor and improve your cybersecurity measures. This may involve conducting regular assessments, implementing new technologies, and updating your policies and procedures as needed.
• Seek outside help: There are companies that specialize in assisting companies in attaining CMMC compliance, like SSE, and can provide you with the expertise and resources you need to succeed.

Feeling Overwhelmed by the CMMC Journey?

If tackling CMMC certification seems daunting, let the experts at SSE guide you through your journey. We are an accredited Registered Provider Organization (RPO) by the CYBER AB (formerly the CMMC Accreditation Body).

SSE has expertise in managing classified data and Controlled Unclassified Information (CUI) through evolving cybersecurity regulations for more than 12 years and has maintained our and our clients’ NIST 800-171 compliance since it became law in 2017.

Contact us about an initial and complimentary CMMC Readiness Assessment today!