If organizations wish to do business with the DoD, they must follow cybersecurity practices put into place by the evolution of CMMC 1.0 to CMMC 2.0. With more than 300,000 organizations part of the DIB supply chain, it is crucial that each entity follows the same guidelines. The CMMC 2.0 framework levels simplifies the process with only three required stages for contractors and subcontractors.
Compliance is based on the type of information that the organization handles, based on the applicable clauses in the DoD contract that has been awarded. Each level within the three-tiered set of security standards for government contractors and subcontractors has specific assessments and practices. All of the levels are cumulative, meaning once you achieve CMMC Level 1, Level 2 only requires adding on the next set of rules. Before you can determine which type of CMMC level your team should work towards, follow our CMMC requirements checklist to determine what level you need to maintain compliance.
CMMC Level 1: Foundational
This level applies to DoD contractors that only work with FCI data. These suppliers are not involved in the creation, processing or receiving of controlled unclassified information. In order to maintain compliance with the CMMC foundational level, contractors must meet the 17 requirements of FAR 52.204-21. Currently, CMMC level 1 doesn’t require third-party assessment, but rather self-attestation.
CMMC Level 2: Advanced
This level applies to all organizations that are involved in the creation, processing, storing, or transmitting FCI, CUI, and Controlled Technical Information (CTI). In addition to meeting the CMMC level 1 requirements, organizations must also meet the 110 security requirements outlined in NIST 800-171.
Unlike CMMC Level 1 attestation, Level 2 requires an assessment completed by a CMMC Third Party Assessor Organization (C3PAO), unless otherwise specified within the awarded contract. Meriplex can help you prepare for a C3PAO assessment through our managed detection and response services and our cybersecurity consulting services, giving you confidence that you will meet all the requirements to stay compliant.
CMMC Level 3: Expert
CMMC Level 3 Certification will be designed for any supplier that handles high-value assets. Although the full requirements for CMMC level 3 have not yet been released, organizations who aspire to meet this stage must be compliant with the additional practices in NIST 800-172. Additional requirements will focus on protecting all sensitive information that an organization may encounter against advanced persistent threats. CMMC level 3 compliance will be assessed by government officials once it has been completed.
For every DoD contractor, maintaining data security to the CMMC 2.0 standard is crucial. Meriplex understands the importance of network security management and how the right protocols are vital for business continuity – especially when working with the DoD or other government agencies. Our SIEM and SOC solutions, managed detection and response service, and security awareness training offer a foundation for achieving CMMC 2.0 compliance across your organization. Contact us today to find out why our offerings can help you conform with the latest digital security standards.