Cyber Maturity Model Certification (CMMC)

What Is CMMC? 

The Cyber Maturity Model Certification (CMMC) is the standard for implementing cybersecurity across the Department of Defense (DoD), as well as any contractor that works with the DoD.  

It is now referred to as CMMC 2.0, which was implemented in 2021. The certification verifies that certain levels of cybersecurity systems and processes are established to ensure fundamental cyber hygiene practices. CMMC is designed to secure controlled unclassified information (CUI) stored on networks of DoD contractors. 

What Are the CMMC Levels?  

The certification is broken up into three levels.  

Level 1 

Level 1 parallels the FAR 52.204-21 requirements, which all federal contractors must meet. If an organization is already doing business with the DoD, they should already be compliant. The 17 controls outlined in Level 1 are all basic cyber hygiene practices and outline the bare minimum any contractor should already have established. 

Level 2 

Level 2 requires an organization to establish, maintain, and resource a plan that demonstrates the management of activities for practice implementation. Level 2 is all about the protection of CUI and includes all security requirements specified in NIST SP 800-171, plus some additional methods to mitigate threats.  

Level 3 

CMMC 2.0 Level 3 is currently undefined but is likely (per the Federal Registry) to resemble CMMC 1.0 Level 5. Level 3 requires you to standardize and optimize process implementation across the organization. At the same time, its practices center on protecting CUI from advanced persistent threats (APTs), increasing the depth and sophistication of your cybersecurity capabilities. 

The CMMC Security Controls 

Level 1 of the certification consists of 17 security controls that fall under six categories. 

Those categories are: 

• Access control 
• Identity control 
• Media protection 
• Physical protection 
• System and communications protection 
• System and information integrity 

Certification v. Self-Assessment 

Depending on the vendor’s contract with the DoD, and the kind of information the vendor is securing, parts of the CMMC are able to be completed through self- assessment. 

Level 1 can be completed through self-assessment, and there is a subset of Level 2 that can also be completed via self-assessment. However, that is only available if the information, “does not involve information critical to national security,” according to the CMMC website.  

Level 3 must be assessed by government officials. 

Five Questions Every DoD Contractor Should Ask Themselves 

There are five questions that will help an organization not only achieve CMMC but stay secure for the future. They are:  

1. Is your organization NIST 800-171 compliant?
2. Do you have an updated system security plan (SSP)?
3. Have you created a plan of action & milestones (POA&M)?
4. Have you implemented a remediation plan?
5. How do you plan to maintain compliance?

As with any comprehensive security program, meeting the requirements of CMMC demands an integrated approach entailing several different solutions. Everything from compliance platforms, encrypted assets, and data backups to monitoring and management solutions must seamlessly work together to eliminate vulnerabilities and ensure CMMC certification. 

Arctic Wolf and CMMC 

As with other regulatory requirements, Arctic Wolf is here to help organizations meet CMMC needs. Explore further with our CMMC compliance guide.