July 28, 2021
At Rimstorm, helping businesses achieve CMMC compliance is one of our specialties. We’re a C3PAO candidate with CMMC-AB Provisional Assessors on staff. Suffice to say, we are experts on CMMC.
We understand that CMMC can look a little intimidating at first. The requirements can sometimes feel overwhelming. So today we’re going to give readers a simple, summarized explanation of CMMC so that it doesn’t appear quite so menacing your first time out.
Like most problems, difficult things can be broken down into parts. And it just so happens that CMMC is divided into five levels — each tier building upon the previous one. The more of these levels your organization achieves, the better you will look when vying for a DoD contract. Here’s how it’s all broken down.
CMMC Level 1 – Basic Cyber Hygiene
While Level 1 of CMMC may be considered “basic” cyber hygiene, it’s comprised of 17 practices as of the latest CMMC revision (and at the time of writing this article). This covers everything from things like password strength to locking the door to your office when you leave for the day. Most organizations should already have these basic controls in place.
CMMC Level 2 – Intermediate Cyber Hygiene
This level is a stepping stone towards CMMC Level 3. At the time of writing, Level 2 contains 72 practices.
CMMC Level 3 – Good Cyber Hygiene
One of the major differences between CMMC Level 1 and CMMC Level 3 is cybersecurity maturity. Just because an organization has purchased security solutions, that doesn’t necessarily mean the processes are in place to ensure they are institutionalized. There are 130 practices to adopt in Level 3. At a minimum, any company handling Controlled Unclassified Information (CUI) will be required to meet the requirements of Level 3. If an organization handling CUI has the practices and processes of CMMC Level 3 in place at all times, they become a difficult target for malicious actors.
CMMC Level 4 – Proactive
“Proactive” is exactly what it sounds like. At CMMC Level 4, an organization has a substantial and proactive cybersecurity program. The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques and procedures, or TTPs, in use by APT actors. For process maturity, a CMMC Level 4 organization is expected to review and document activities for effectiveness and inform high-level management of any issues. In total, Level 4 contains 156 practices.
CMMC Level 5 – Advanced/Progressive
CMMC Level 5 is all about standardizing and optimizing. It mainly focuses on the protection of CUI from APTs. The 171 practices that make up Level 5 increase the depth and sophistication of cybersecurity capabilities and include the need for subject matter experts.
While DoD is not asking small- to medium-sized businesses to implement Fort Knox’s level of security, they are requiring adequate security and good cyber hygiene. That’s what the Cybersecurity Maturity Model Certification is all about. And that’s exactly why you should turn to the experts for help in adopting it. That’s where we come in.