Unless you’re already in business with the US Department of Defense (DoD), you may not have thought much about the Cybersecurity Maturity Model Certification, or CMMC. Until recently, the CMMC was a U.S. federal government compliance framework that only applied to companies who sell to the DoD.
But that changed in late 2020 when the federal government announced all government contractors should begin preparing for CMMC compliance. At the same time, the DoD has embarked on an update of the CMMC rules, adding more complexity to the challenge of complying with CMMC.
Thus, while it was possible to say a year ago that “the CMMC is coming,” we must now recognize that “the future of CMMC is here” already. Compliance strategies that sufficed in the past may no longer be enough. Now is the time to prepare if you plan to do business with U.S. government agencies of any type.
What are the CMMC levels?
As compliance frameworks go, the CMMC is relatively easy to understand. It consists of five main components, known in CMMC parlance as “levels.” Each level defines a set of cybersecurity requirements that businesses must meet.
The nature of the work your business does and the sensitivity of the government data or processes it handles determine which CMMC level you need to comply with. The engagement specifies which compliance level companies need to achieve in order to meet given contract requirements.
Here’s a breakdown of the CMMC, starting with the most basic. Note that the levels are cumulative. Level 2 compliance also requires level 1 compliance, level 3 compliance also implies levels 1 and 2, and so on.
Level 1 requires “basic cyber hygiene,” which is defined in the CMMC as adhering to specific procedures that protect against data theft and mitigate the risk of major cyberattacks. However, level 1 doesn’t require businesses to implement these processes in a particular way or to document their compliance. Thus, level 1 compliance is the easiest to achieve.
Level 2, which mandates “intermediate cyber hygiene,” includes somewhat more rigid cybersecurity processes and controls than level 1. Importantly, level 2 also requires businesses to establish a consistent, documented set of policies to enforce cybersecurity. You can’t approach cybersecurity in an ad hoc fashion to achieve level 2 compliance.
To achieve level 3 compliance, you need not just document a cybersecurity plan but also be able to demonstrate that you are achieving it. In addition, level 3 adds nearly two dozen cybersecurity controls, which are part of the “good cyber hygiene” requirements of the CMMC.
Level 4, which requires a “proactive” approach to cybersecurity, mandates that businesses review their cybersecurity practices, identify weaknesses and take steps to correct them — in addition to documenting and demonstrating compliance, as the lower levels require.
Level 5, which requires “advanced/proactive” cybersecurity, is the toughest CMMC compliance level to meet. It mandates that businesses do not just review and improve their cybersecurity practices, but also that they optimize them on a proactive basis. The goal is to anticipate and block threats before they materialize.
Preparing for CMMC compliance: Why and how
Given the significant changes that the CMMC is currently undergoing — in terms of both which businesses the rules apply to, and what the rules include — many companies understandably aren’t sure where to start when it comes to preparing for CMMC compliance.
That’s one reason why it’s wise to work with a CMMC consultant, who understands the complexities of the framework and can guide you in establishing a plan to meet them.
Achieving CMMC certification
Even if you don’t need to be CMMC-compliant today, you may in the future if you choose to work with government agencies that adopt the CMMC as a requirement for their contractors.
And beyond compliance itself, CMMC certification is beneficial because it helps you establish a stronger security posture — a critical consideration in a world where cybercrime on your supply chain, email or ransomware attacks, and many other breaches now costs nearly 1 trillion dollars annually or more than 1 percent of global GDP.
End-to-end supply chain security
It’s worth noting, too, that CMMC is only one of the numerous compliance frameworks that are either just coming online or are being overhauled. You’ve probably heard of others, like NIST, CCPA/CPRA, and SHIELD, which also have implications for businesses doing business with other companies or agencies in various industries.
Given all of this change and complexity surrounding compliance, it’s a best practice to build automated compliance controls into your operational pipelines using a tool like Findings. Compliance is only going to grow more complicated over the coming years, which is why it’s critical to identify risks across your entire supply chain — and to prove to your customers that you’re managing risks effectively.
All of the above means that many businesses have a mandate to overhaul their compliance and risk management strategies. Even if the CMMC specifically doesn’t apply to your business, chances are that other new compliance rules will. Bricking risk detection and management into your entire operational pipeline — including your supply chain — is crucial for meeting these new challenges.
Learn how Findings can help secure your supply chain