Youattest Logo

The Differences in the DODs CMMC (Cyber Security Model Certification) Levels

DODs CMMC (Cyber Security Model Certification) Levels, What are they? This blog will denote the differences in the DODs CMMC (Cyber Security Model Certification) Levels.

In response to the growing threat of cybercrime against the United States, there have been multiple actions taken by the federal government to protect itself and its citizens. Earlier this year, President Joe Biden issued an executive order in May 2021 to improve the nation’s cybersecurity by working with the private sector to bolster the public sectors’ defense. Before this, to protect state information, the Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC) on January 31, 2020.

Why CMMC and DODs CMMC (Cyber Security Model Certification) Levels ?

The CMMC is a new step taken to ensure the cybersecurity of the contractors and subcontractors that work with the DoD to protect the sensitive information held within the contracts. They have stated that CMMC is “intended to serve as a verification mechanism to ensure that the Defense Industrial Base (DIB) companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.”

Image #1: The D.o.D’s CMMC guidance is broken down to 5 Levels.   YouAttest provides compliance for the Access Conrols (AC) and Audit and Accountability (AU) controls. ( DODs CMMC (Cyber Security Model Certification) Levels )

Previously, the system in place for the DoD was to have the contractors do self-assessments on the strength of their cybersecurity. The concerns that have led to the overhaul in the cybersecurity compliance system are the reports from The Center for Strategic and International Studies (CSIS), in a partnership with McAfee, that found “as much as $600 billion, nearly 1% of global GDP, may be lost to cybercrime each year.”

Within the new CMMC program are five levels of certification that look at the practices and processes of the contractor or sub-contractor. As these levels progress, the required cybersecurity level also increases, maintaining the safety and security of the information stored and used by the contractor. This will be assessed by the CMMC Accreditation Body (CMMC-AB) as an independent, third-party.

Each level in the CMMC adds practices for increased cybersecurity as a contractor looks to progress through the levels of compliance.

DODs CMMC (Cyber Security Model Certification) Levels | Level 1

Within the first level, 17 basic cybersecurity practices needing to be implemented are detailed by the Federal Acquisition Regulation (FAR) clause 52.204-21. This level will not have access to CUI.

DODs CMMC (Cyber Security Model Certification) Levels | Level 2

Progressing to level two will see the addition of 55 practices, which are a subset of the security requirements listed in NIST SP 800-171. Level two is a stepping stone to level three, as there will not be many DoD contracts that will allow for level two, as these contractors cannot handle CUI. This level does require the documentation of practices and procedures.

DODs CMMC (Cyber Security Model Certification) Levels | Level 3

Level three will be the lowest level that allows a contractor to handle CUI and builds off of NIST SP 800-171 with 20 additional practices set to mitigate risk against and protect CUI. A level three contractor will also need to manage a plan that demonstrates the implementation of the practices that have so forth been mentioned.

DODs CMMC (Cyber Security Model Certification) Levels | Level 4

Level four again adds more practices (26) to the systems protecting CUI from the DoD, but these are more proactive measures aiming to protect from Advanced Persistent Threats (APTs). Level four is the stage in the progression where the implementation of the practices and procedures will need to be reviewed for effectiveness.

DODs CMMC (Cyber Security Model Certification) Levels | Level 5

The last level, which only adds 15 practices, will focus on optimizing the implementation of the processes that have thus far been documented, managed, and reviewed. This is the most advanced step in the cybersecurity efforts, which will add depth and complexity to the defense of CUI.

Cybersecurity continues to be an ever-present concern for the United States Government and its citizens. More and more, we see headlines talking about data breaches in massive companies here and abroad. The steps that we take now will protect us in the future.

YouAttest is an automated identity audit tool for your identity and access control resources.  Cloud based and simple to use – YouAttest provides a quantified platform for your identity audits.   YouAttest will join w/ Robert Emrich, Jr, a  CMMC RP, to help review the identity requirements and inform how YouAttest meets the access review requirements in a webinar, scheduled for Sep 22nd.