In the US, all Department of Defense (DoD) contractors are required to complete a third-party examination to obtain compliance certification under the CMMC program. The Department of Defense has developed two CMMC inspection guidelines, which are essential resources for both evaluators and DoD contractors to use when evaluating the CMMC framework.
The CMMC program is designed to enhance the security of the supply chain in the defense industrial base (DIB). According to the new legislation, DoD will eventually require all DIB enterprises to be CMMC certified. All government contractors and subcontractors are required to be compliant at one of the five CMMC levels. These levels encompass both technical security measures and maturity procedures outlined in the Cybersecurity Maturity Model framework.
The defining papers for understanding the intricacies of CMMC certification are the CMMC Assessment Guide – Level 1 and CMMC Assessment Guide – Level 3. Both these documents were provided by the DoD last year. The third-party assessors can use the instructions outlined in the assessment guide during the evaluation process. Contractors can also use the guide to prepare for the CMMC assessment.
Many of you must be wondering where Level 2 weCMMC Compliancent. Level 2 is referred to as the transitional level. Level 2 is considered as a progression from Level 1 to Level 3. However, DoD vendors are not required to comply with it. Besides this, the guidelines for Level 4 and Level 5 are yet to publish.
Another question asked by government contractors is what CMMC compliance level they should achieve. The answer is it depends upon the type of data you are required to store and use. There are three types of data – Federal Contract Information, Public Information, Controlled Unclassified Information.
CMMC Certification Requirement for Public Information
Public information does not need any specific processing or restrictions. You do not require CMMC certification if your DoD contract requires you to deal with public information. Public information is designated as “Public Release Approved.” It is unlabeled information obtained from an uncontrolled, publicly accessible government source.
CMMC Level 1 Certification for Federal Contract Information (FCI)
Federal contract information (FCI) is data that should not be made public. It is usually noted in document marks or specified in the contract. FCI does not include fundamental accounting information that is essential for invoicing and collecting payments. If your DoD contract requires you to collect or store FCI data, you’ll most likely need Level 1 CMMC certification. This particular level has 17 cybersecurity practices.
CMMC Level 3 Certification Requirement for Controlled Unclassified Information (CUI)
Controlled unclassified information (CUI) is those data that are sensitive and vulnerable to cyberattacks. Thus, the CMMC has extra protection or handling rules. CUI should be appropriately indicated or stated in your DoD contract. The most often used supplemental guidelines for CUI may be found in the National Institute of Standards and Technology (NIST) Special Publication 800-171. If you are a DoD contractor and share or handle CUI data, you must get CMMC Level 3 certification. The CMMC Level 3 requires compliance with all 133 standards and procedures in total.