Let’s Talk About CMMC and DoD

CMMC: Five Levels
Home » Blog » Let’s Talk About CMMC and DoD

Cybersecurity is quickly becoming a national priority. As cyberattacks from abroad increase in number, vulnerabilities have been found at all levels. The SolarWinds attack in 2019 revealed just how bleak the situation was. Few companies had implemented proper cybersecurity processes and practices, which led to widespread concern, especially in the Department of Defense, whose many contractors were hit by this hack. The Cybersecurity Maturity Model Certification (CMMC) was created in response: here’s how it works.

CMMC was proposed by the Department of Defense (DoD) in partnership with contractors and industry leaders. The goal was twofold. First, this framework would help companies bolster their cybersecurity. Second, it would make it easier for the DoD to evaluate its partners and contractors. This has major ramifications for any DoD contractor. No longer will the DoD simply take you at your word. Now you have to prove your commitment to cybersecurity.

 The framework is organized into domains, capabilities, and practices. Domains refer to areas of expertise, for instance, access control. Within each domain are multiple capabilities, such as controlling remote system access. Below this level are practices or controls, which are specific actions you must be able to perform. For example, within the remote system access capability, “route remote access via managed access control points.” Each level increases the documentation and amount of control required by your organization.

Level 1: Performed Processes, Basic Cyber Hygiene Practices

Level 1 - Basic Cyber Hygiene

You’ll notice that each of these levels defines the extent to which processes need to be documented and evaluated. The second half of the level’s definition determines the practices that need to be implemented. The first level represents the very basics of cyber hygiene and documentation. Essentially, everyone starts at this level. There are 17 practices called for at the first level, one for each domain.

For example, basic level-one practices under the physical protection domain include escorting visitors to avoid unwarranted access or controlling access to physical devices. At this level, no documentation is necessary; your processes are simply “performed” by your employees without any standard operating procedure. That’s the most notable change to move into level two.

Level 2: Documented Processes, Intermediate Cyber Hygiene Practices

Level 2 - Intermediate Cyber Hygiene

At this level, You must document your processes, which are often misunderstood. Documentation does not necessarily have to be step-by-step instructions for how to handle each process. That comes later. For now, evidence that you are performing the process is sufficient enough to reach the second level of CMMC. Documenting how you conduct your operations will make it easier to codify them into basic instructions.

Level 2 is seen by the DoD as more of a transitional phase on your way to level 3. However, it does add a significant number of practices or controls. While level 1 has just a single one for each domain, level 2 brings the total number of rules up to 72. To continue the example of the Physical Protection domain, level 2 specifies that your organization protects and monitors the physical facility, perhaps through the use of security cameras. 

Level 3: Managed Processes, Good Cyber Hygiene Practices

Level 3 - Good Cyber Hygiene

Level 3 is the target level that the DoD hopes to see its contractors and partners reach as soon as possible. At this level, your processes are managed. That means there is a clear policy for how you handle each process, complete with instructions. In addition, there is a plan in place to ensure that the process is carried out as specified. What should this plan include?

Your plans ought to mention tools or software that you will utilize to verify compliance, as well as a list of authorized personnel or positions that may perform the process. In addition, you may include training plans and the involvement of other stakeholders. If you have specific projects in the works, mention how these will be affected by your policies. Another 59 controls are added to this level, meaning you’ll have a lot of work to do.

Level 4: Reviewed Processes, Proactive Practices

Level 4 - Proactive

Since each level includes the processes and practices mentioned in the previous levels, if you’ve made it this far, you’re doing great. Most of your practices are under control by this point, with only another 26 to consider at level 4, bringing your total to 157. These practices are proactive in nature. For example, level 4 practices include employing threat intelligence and scanning for unauthorized ports on your network under the Risk Management domain. 

The most significant change, however, is the need for review. Your processes must be put to the test. You’ll need to set up a plan for reviewing the level of compliance within your organization. Objectively measuring performance is critical here; subjective evaluations need not apply. The results of your review will be sent to upper management and archived in case the DoD audits and requests them. You’re almost at the CMMC summit, so what’s left?

Level 5: Optimizing Processes, Advanced and Progressive Practices

Level 5- Advanced/progressive

Level 5 is where the DoD would like to see everyone, although it doesn’t require every single contractor to reach this level yet. Another 16 controls round out the complete set of 173, but these are hardly new requirements. Most of the practices imposed at level 5 are focused on improving your existing capabilities or standardizing them outside of your physical facilities. Since larger companies will have multiple offices or work in the field, level 5 considers that.

Your processes are classified as optimizing at this level. You have a standardized approach to all of your processes that can be used throughout your entire organization, regardless of location or the type of work being performed. These processes are subject to review and are regularly refined to improve them in the face of new threats.

Level Up Your CMMC Compliance

Failing to bring your cybersecurity up to code can leave you on the outside looking in. Lucrative contracts are going to be reserved for companies that can demonstrate their CMMC level. If you need an evaluation of your cybersecurity practices or would like help bringing your organization up to code, contact Edafio Technology Partners today. We’ll help you level up and become CMMC complaint.

Scroll to Top