In part one of this two-part blog series, we went over some basics of both CMMC and NIST 800-171. These are two variations of cybersecurity standards, the former referring to a newer umbrella in the industry while the latter refers to the current requirement for those dealing with CUI, but both are important to understand if you’re a government contractor.
In today’s part two of the series, we’ll look at the timeline for the full implementation of CMMC guidelines, plus what will happen during the integration to full CMMC adoption. We’ll also go over the levels of CMMC, why those in level 3 and above have to be particularly diligent about these changes, and how you can determine your CMMC compliance needs as a contractor or company.
CMMC Implementation Timeline
As we noted in part one, CMMC regulations are not simply entering the field all at once. Rather, the Department of Defense (DoD) is planning to add these levels over a period of time, which already began in early 2021.
This process has begun with about 15 procurements for major DoD programs and tech, such as missile defense and nuclear areas. However, over the next five years, this rollout will continue. Around 1,500 primes and subcontractors will be impacted by this first implementation, but this number will grow significantly over the next several years. By fall 2026, the expectation is that all DoD contracts will include some level of CMMC requirements.
The CMMC level you or your company need to achieve depends on the sensitivity level of DoD information you’re working with. Here’s a summary of each level:
- Level 1 – Processes Performed, Practices Basic Cyber Hygiene: Requiring organizations perform specific practices, with protections focused on FCI.
- Level 2 – Processes Documented, Practices Intermediate Cyber Hygiene: Organizations must establish and document practices and policies to guide CMMC implementation. In many ways, Level 2 serves as a passing point from Level 1 to Level 3, which is very significant.
- Level 3 – Processes Managed, Practices Good Cyber Hygiene: The CMMC level that’s being most impacted by recent updates is this one, as over 120,000 contractors have access to CUI (uncontrolled classified information) and meet Level 3 requirements. Many have been added here recently as well. Level 3 requires specific info on mission goals and training for practice implementation, plus focuses on protection of CUI. It covers all security requirements found in NIST 800-171, plus has 20 additional practices added. Any contractor currently subject to DFARS 252.204-7012 will eventually need to meet at least Level 3 requirements.
- Level 4 – Processes Reviewed, Practices Proactive: This level involves reviewing and measuring the effectiveness of practices, plus correcting them if needed. It focuses on protection of CUI from APTs and involves enhanced security requirements from NIST 800-171.
- Level 5 – Processes Optimized, Practices Advanced/Proactive: This requires full optimization of processes throughout the organization, plus protection of CUI from APTs.
Determining Compliance Needs
To get started with this process, the first step is determining whether you are handling CUI. Once this is done, determine the gaps between your current compliance and where you need to be under CMMC guidelines – something our staff is happy to help with.
For more on this or any of our other processes in CMMC or other areas of DoD security, speak to one of our CMMC-AB assessors at Rimstorm today.