All government contractors who work with the Department of Defense or other agencies that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) must be cybersecurity certified. To streamline this process, the U.S. government established the Cybersecurity Maturity Model Certification (CMMC).

Let’s discuss what CMMC is, its different levels of maturity, and how you can get CMMC certification for your business.


What Is CMMC?

CMMC of ‘Cybersecurity Maturity Model Certification’ is a new standard for normalizing cybersecurity preparedness. It was designed specifically for the defense industrial base (DIB) and other government contractors that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from the U.S. Department of Defense. With these parameters, every company working with the DoD will have the right security measures in place to ensure no sensitive information is mishandled.

The CMMC was first published on January 31, 2020. Before then, contractors for the DoD had to self attest the implementation of NIST SP 800-171 and monitor the security of its systems, particularly sensitive DoD information stored on their systems. While contractors are still responsible for maintaining their company’s cybersecurity requirements, the CMMC establishes mandatory practices and requirements contractors must implement 100%.


CMMC Levels

The CMMC is designed to measure the maturity of a company’s cybersecurity efforts to protect data. That maturity informs what level your organization is on the CMMC level scale and to what contracts they can apply according to their level—more comprehensive cybersecurity programs receive a higher level of maturity.

There are five CMMC certification levels, each with its own objectives and requirements:

1. Level 1 – Basic Cybersecurity

Level 1 maturity denotes a company operating under the 17 most basic cybersecurity measures, which are detailed by the Federal Acquisition Regulation (FAR). All government contractors must achieve at least a Level 1 on their CMMC to become eligible for government contracts. The main objective of Level 1 companies is to protect Federal Contract Information (FCI).

2. Level 2 – Intermediate Cybersecurity

Level 2 maturity is a transitional phase between Level 1 basic cybersecurity and Level 3 protection of controlled unclassified information (CUI). Contractors must continue to comply with the 17 practices listed in Level 1, plus the 48 security practices detailed in NIST SP 800-171 and an additional seven practices to support an intermediate level of cybersecurity hygiene. In total, Level 2 contractors must comply with 72 security practices. The CMMC-AB doesn’t issue certifications for this level.

3. Level 3 – Good Cybersecurity

Level 3 maturity builds on every cybersecurity measure of the previous two levels, the 110 security controls in NIST SP 800-171, and by incorporating 20 CMMC additional practices. With this level of cybersecurity maturity, contractors can adequately protect CUI and are eligible to work with contracts that include a DFARS clause. However, Level 3 contractors may still not be a viable option for agencies using highly sensitive data since this level of cybersecurity still has vulnerabilities. The majority of manufacturers will be in this level. However, Level 3 contractors may still not be a viable option for agencies using highly sensitive data since this level of cybersecurity still has vulnerabilities.

4. Level 4 – Proactive Cybersecurity

Level 4 maturity proves that contractors have established best practices for cybersecurity and are constantly updating and changing their precautions as new threats emerge. By the time contractors reach Level 4 maturity, they will operate with 156 cybersecurity practices in place, which includes 11 practices from Draft NIST SP 800-171B.

5. Level 5 – Advanced Cybersecurity

Level 5 maturity shows that a government contractor observes over 171 cybersecurity practices to manage and protect sensitive government information. These mature and robust systems can handle the most sensitive data from advanced persistent threats (APT).


How To Get Your CMMC

To get CMMC certification, you must meet the best practices of each level and then have your cybersecurity assessed by a Certified Third-Party Assessment Organization (C3PAO). This CMMC assessment will label your cybersecurity at one of the five levels. The Office of the Under Secretary of Defense for Acquisition and Sustainment provides CMMC assessment guides to help you understand what is required for the first three CMMC levels.

iMpact Utah offers professional services to help you get your CMMC certification and contract with the DoD. iMpact Utah will prepare you for your Level 1 and Level 3 certifications by tailoring the required cybersecurity systems and procedures to your business. We will also get you in contact with the best third-party assessment organization (3CPAO).

If you want to work on becoming CMMC compliant to get your CMMC certification and start working as an official government contractor for the DoD, contact iMpact Utah today.