The DoD’s Cybersecurity Maturity Model Certification (CMMC) is now in force, but what does this mean for DoD contractors? Well, every company must now prove they have sufficient cyber security in place to protect sensitive data before they can work for the DoD. So if you plan on bidding for DoD contracts, here’s a brief practical guide to CMMC compliance.
CMMC Compliance Levels:
The CMMC is all about establishing your company’s cybersecurity “maturity” level. There are five possible levels:
- Basic Cyber Hygiene
- Intermediate Cyber Hygiene
- Good Cyber Hygiene
- Proactive
- Advanced/Progressive
So, if you’re level 3 certified, you can work on contracts requiring level 1-3 security compliance. However, you can’t take on level 4 or 5 contracts because your cybersecurity isn’t robust enough just yet.
But how do you know what certification level to aim for, and how do you comply? Let’s briefly run over the features of each level.
Level 1
At this level, you’re working with Federal Contract Information (FCI). This is basically just information provided by the government to perform a contract.
You only need to meet 17 fairly simple cybersecurity standards to achieve level 1 compliance. These standards include:
- Strong passwords and separate accounts for each user
- Encrypting data
- Maintaining access logs, i.e., who is on your premises
- Separating the private company Wi-Fi from public networks
- Safely disposing of data when you no longer need it
You might already meet level 1 certification standards, but you still need the CMMC to prove this.
Level 2
Level 2 companies handle some Controlled Unclassified Information (CUI), so you need some extra safeguards in place. There are 72 specific requirements. But, basically, you must:
- Document your cybersecurity protocols
- Log and monitor user activity
- Roll out cybersecurity training
- Secure your data backups
- Supervise any visitors on your premises
Think of level 2 as a stepping-stone to level 3.
Level 3
You established basic CUI safeguards in level 2. But now, you need to go further. Level 3 companies must meet 130 requirements that center around:
- Long-term cybersecurity planning
- Regular policy reviews and security updates
So, for example, you need to:
- Perform routine security audits
- Introduce a comprehensive staff training program
- Take extra steps to verify users, such as deploying multi-factor authentication
- Maintain critical services
- Establish a security incident response plan and review it regularly
Level 3 sets the groundwork for handling more sensitive data in levels 4 and 5.
Level 4
Level 4 companies must be proactive about cybersecurity. There are multiple requirements. But, basically, you must:
- Introduce procedures for measuring cybersecurity effectiveness
- Proactively monitor for cybersecurity threats on the network
- Prove you can identify and manage advanced persistent threats (APTs), meaning attacks from highly sophisticated hackers
If you want to be a main contractor rather than a subcontractor, it’s safe to assume you should meet level 4 criteria.
Level 5
Level 5 contractors handle the most sensitive DoD data. So you need to prove your cybersecurity is robust and agile enough to handle sophisticated threats.
- Since there’s a high risk of APTs, you need advanced threat detection and risk mitigation processes.
- There must be very clear authorization levels within the company.
- Do not allow any devices on your network unless they’re properly secured and verified.
- Ensure you track user activity and maintain clear trails to verify it.
- Create an incident response team trained to respond to threats immediately.
- You need sufficiently secure ways to back up and erase confidential data.
Before you apply for the CMMC, you should perform a gap analysis and readiness audit. That way, you’ll identify any cybersecurity weaknesses you need to fix before you apply for the desired certification level.