If you own a business or are part of a business that works with the Department of Defense (DoD) you are probably familiar with the NIST 800-171 protocol. The Cybersecurity Maturity Model Certification (CMMC) initiated in January 2020 takes digital security a step further and adds 61 new practices to the existing list of practices found in the NIST 800-171.
Under the CMMC framework organizations are categorized into 5 levels, starting from level 1 companies up to level 5 companies. As a company progresses from level 1 to level 5 the digital security requirements that they must adhere to change, but more importantly, the way these security protocols are implemented across the organization internally also changes. Different CMMC levels also take into account how well a company adheres to security protocols and also how secure of an environment their infrastructure provides.
Let's have a look at the different levels of CMMC organizations and understand what the key differences are.
Level 1
At the very first level, CMMC is concerned with ensuring that companies are complying with the regulations specified in the 48 CFR 52.204-21. The purpose is to ensure that these companies can safely handle FCI, which is information that is not intended to be released to the public. Every CMMC certified company must comply with Level 1 requirements even though some domains within CMMC may not involve Level 1 practices. However, at this level process maturity is not a concern and Level 1 companies may not have thorough cybersecurity practices that are implemented throughout the organization.
Level 2
Level 2 serves as a stepping stone for companies to progress to Level 3 and higher and introduces the concept of process maturity, which makes this model unique. At this level companies demonstrate a reasonable level of cyber hygiene and reflect a more advanced set of rules that allow them to protect their digital assets more efficiently than Level 1 companies. At this stage, companies are required to develop and document their policies, strategic plans, and day-to-day procedures that are part of their cybersecurity plan.
Level 3
At this level not only will companies have demonstrated that they have solid cybersecurity hygiene but also that the procedures they are implementing meet the requirements of NIST SP 800-171 Rev 1. This is a necessary step for companies that either generate or require access to CUI. However, even at this level companies will have trouble protecting themselves from advanced persistent threats (APT's). For companies that are subject to DFARS clause 252.204-7012, there are a few additional requirements that they will have to meet.
Level 4
At Level 4 companies are quite well equipped to deal with ATP’s and also have the resources to adjust their digital defense systems to handle ever-evolving tactics and strategies used by attackers. Moreover, at this level process maturity is also far more visible as the organization reviews and records its procedures but also consults with management if they face any problems. The entire organization is proactively managing a solid digital defense system.
Level 5
At the highest level, companies have advanced cybersecurity protocols but more importantly, they have demonstrated that they are capable of adjusting and changing the kind of security they implement to match the kind of threats they face. Regardless of how complex the attacks may be, they can repel them with a track record that proves their competence. Moreover, process maturity is implemented and done uniformly across all areas of the organization. These are the kinds of organizations that can be entrusted to generate, receive and process highly sensitive information.
The level of CMMC a company chooses to adhere to will depend largely on the nature of their work, reaching the highest level is by no means a necessity and many companies can work just fine at a lower level.