Reading Time: 4 minutes
The US Department of Defense (DoD)’s current NIST 800-171 self-attestation regime mandates the same “one size fits all” requirements regardless of an organization’s size or role. In contrast, the new Cybersecurity Maturity Model Certification (CMMC) framework defines five levels of compliance requirements to better fit an organization’s actual risk profile.
The more flexible CMMC levels “right-size” a supplier’s compliance requirement based on the data it handles. DoD RFIs and RFPs will specify the CMMC level(s) required for prime contractors and their subcontractors.
The five CMMC levels range from Level 1 (Basic Cyber Hygiene—the minimum requirement for any firm participating in DoD contracts) to Level 5 (Advanced, designed to protect high-value assets from advanced persistent threats (APTs)). NIST 800-171 compliance roughly corresponds to CMMC Level 3, “Good Cyber Hygiene, but with about 20 additional controls.
The CMMC’s primary purpose is to safeguard Controlled Unclassified Information (CUI). DoD contract participants that will handle CUI will need to be certified to CMMC Level 3 or higher. To be certified against any of the five CMMC levels, a company must pass an independent third-party assessment, which will be more rigorous at higher CMMC levels. The levels are “cumulative;” to be certified at a given level a business must also demonstrate that it complies with the requirements of all the lower levels.
Summary of CMMC Levels
Support the originator by clicking the read the rest link below.
