How will CMMC work?
Tim outlines that CMMC, like most new frameworks, is currently undergoing a period of review by the Pentagon before it’s put into practice. The initial version, CMMC 1.0, combines risk controls that are commonly used in cybersecurity frameworks with more tailored controls that are unique to the DOD and DIB contracts. It also outlines five levels of security maturity that will determine which processes and practices a particular contractor will have to abide by when doing business with DOD. Compliance with these levels of security will be mandatory for all contractors, including UK-based contractors and those based in other countries around the world. The five levels are as follows:
CMMC Level 1
All federal contract information must be safeguarded. This is the most basic level of security maturity and means that a contractor must be able to guarantee that all data pertaining to the contract is adequately secured.
CMMC Level 2
This builds on level one and acts as a transition step to level three, requiring that all contractors be able to demonstrate the ability to self-audit their processes and prove that their policies and processes align with that of the DOD in terms of security.
CMMC Level 3
Full protection of uncontrolled classified information. Contractors need to adhere to all of the security requirements set out in NIST 800-171 and NIST 800-53, as well as Aerospace Industries Association National Aerospace Standard 9933, and Critical Security Controls for Effective Capability in Cyber Defense. In short, level three requires contractors to adhere to a plethora of compliance standards and be able to demonstrate that compliance robustly. This is where the majority of contractors will most likely sit.
CMMC Levels 4 and 5
In the highest levels of security maturity, contractors will not only need to demonstrate their compliance with all of the above, but will also need to enact their own cybersecurity policies and controls to reduce the risk of Advanced Persistent Threats (APTs).
The kind of service a business provides, and the level of access and engagement it will need in order to provide that service, will determine which level it is assigned. CMMC version 2.0, of which details emerged in November 2021, will seek to narrow these tiers down to three levels in order to simplify things. But rather than making things easier for contractors, this will likely make the distribution and threshold of security standards even higher for basic services. We will discuss CMMC 2.0 in more detail on the blog soon, including how it differs from CMMC 1.0.