If your organization works as a vendor for a company that has DoD contracts, or if you work directly with DoD information, your company will soon be required to be CMMC compliant. CMMC is designed to ensure that defense contractors and vendors who support them meet a basic level of cybersecurity that protects sensitive defense information. CMMC compliance ensures proactive and consistent best practices for data security, and organizations that achieve CMMC compliance increase peace of mind and opportunity. AirComply works with your organization to guide you step-by-step to certification.
DoD Contracts are Big Business.
According to the Center for Strategic and International Studies, the DoD spent $421.3 billion in fiscal year 2020 on contracts. The US government takes security seriously. CMMC requirements continue to evolve, and new requirements impacting your business could take effect as early as 2023. Don’t jeopardize your ability to fulfill contracts. Getting certified now will ensure your organization can keep doing business with DoD and their vendors as requirements become more complex.
How Does CMMC Certify Businesses?
The CMMC model has five levels. Each level indicates a higher degree of protection for sensitive information. To reach certification for that level, the organization must also meet all the requirements of the level(s) below. Organizations cannot self-assess and must demonstrate mastery of processes and practices to outside assessors.
Level 1 is designed to safeguard federal contract information and requires careful monitoring of who can access data, how data is destroyed, how data is scanned and monitored to prevent malicious attacks, and other basic safeguards every business should follow. See FAR 52.204-21 for detailed descriptions of requirements.
Level 2 is a transition step into more mature cybersecurity protection to control unclassified information. This level addresses a little more than half of NIST 800-171 controls plus all requirements from Level 1. NIST provides federal agencies with recommended requirements for protecting the confidentiality of controlled unclassified information (CUI) and apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI or provide security protection for such components.
Level 3 covers all NIST 800-171 controls, a few additional requirements, and everything from previous levels.
Levels 4-5 are more involved and reduce the risk of advanced persistent threats using controls from a range of frameworks – CERT RMM v1.2, NIST SP 800-53, NIST SP 800-172, ISO 27002, CIS CSC 7.1, and others.
CMMC clearance level requirements vary, and classifications are set by the project. If your organization doesn’t work directly for the DoD, it may only need a Level 3 clearance or below. If your organization operates with high-value information, it will likely need a Level 4 or higher clearance. The Department of Defense determines whether an organization has the security necessary to work with controlled or otherwise vulnerable data.