Do you need to know how to evaluate your IT policies and procedures for CMMC 2.0 Certification? We’ve got you covered.
The Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) framework to establish compliance certification measures that help to ensure DoD contractors can protect sensitive information, such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
After determining that the original CMMC 1.0 model was too cumbersome, the DoD drastically revised their requirements with the introduction of new CMMC 2.0 standards, set to take effect in 2023.
CMMC 2.0 requirements are based on The National Institute of Standards and Technology (NIST) SP 800-171 and are directly aligned with the Defense Federal Acquisition Regulation Supplement (DFARS), which has been required for some time now.
What’s different, however, is how strictly these new regulations will be enforced. To be successful, you must change your approach to compliance or risk losing out on lucrative contracts and incurring hefty fines.
Preparing for certification takes time, so it’s wise to start now. Achieving CMMC 2.0 compliance gives your company clearance to bid on new work, gaining a distinct advantage over the competition.
What are the levels of CMMC 2.0 Certification?
The new CMMC 2.0 model uses three levels to identify an organization’s cyber hygiene from Foundational to Expert. Each level has its set of requirements adapted from NIST SP 800-171. The tiered approach means that to be certified at a certain CMMC level, you must meet all the requirements of the preceding levels as if you’re applying for certifications for all levels.
The three new CMMC 2.0 certification levels:
- CMMC Level 1: Foundational – Requires annual self-assessment
- CMMC Level 2: Advanced – Requires triennial third-party assessments for critical national security information and annual self-assessments for selected programs.
- CMMC Level 3: Expert – Requires triennial government-led assessments.
Your access to CUI will determine the level of certification you need. Contractors that deal with or generate CUI will need at least a Level 2 CMMC 2.0. As a DoD contractor, you should identify your organization’s cybersecurity maturity level based on the classification of the data you store, transmit, and process.
Your IT team should be familiar with NIST SP 800-171 and the appropriate target levels so that they can determine the right CMMC 2.0 controls to adopt for your organization.
Considering the level of complexity involved with CMMC 2.0 certification, preparing for compliance can seem daunting – but it doesn’t have to be. That’s why we’ve created this checklist, based on achieving CMMC 2.0 Level 2 Certification and beyond. Download this list today to examine how your current IT security systems and policies measure up!
