Close this search box.

What Level of Cybersecurity Do DoD Contractors Need to Meet New CMMC Certification Regulations?

Digital icons represented in front of server closets.

This year, the Department of Defense issued the official version of the Cybersecurity Maturity Model Certification (CMMC), which outlines cybersecurity regulations that must be adhered to by all DoD contractors.

These measures have been put in place in order to verify that there is an appropriate level of cybersecurity present in all businesses that have contracts with the DoD. The certification will cover cyber hygiene and the protection of controlled unclassified information (CUI).

This certification covers each level of cyber hygiene from Basic Cybersecurity Hygiene through Advanced and the qualifications required to meet each level. The level of cybersecurity your business is required to achieve depends on which contracts you service and how you use and store CUI.

All DoD contractors are expected to be prepared for audits to begin later this year, where third-party auditors will determine the cyber hygiene level your business has obtained. The level of cybersecurity within the CMMC that your business achieves will determine which government contracts you are allowed to bid on.

The Five Levels of the CMMC Framework

Within the CMMC there are five levels of cyber hygiene which DoD contractors can meet. The CMMC level that your business obtains will dictate the type of contracts that you will be able to obtain. For example, by only attaining the Level 2 certification, your business will not be able to bid on a Request for Proposal (RFP) which specifies Level 3 or higher. The level you need to achieve also depends on how much Controlled Unclassified Information (CUI) your business handles or stores.

Level 1: Basic Cyber Hygiene

This is the baseline level that all contractors will be required to meet. The requirements you must meet to obtain this level of cyber hygiene are equivalent to those found in FAR 52.204-21, which handles Federal Contractor Information.

Level 1 features 15 requirements and focuses on basic safeguarding and managing of the user and device identification and authentication, as well as physical access, visitor access, protection from malicious code, and system scanning.

Level 2: Intermediate Cyber Hygiene

This builds on level 1 with the addition of 55 cyber hygiene requirements. To qualify for Level 2, business practices must be considered acceptable cybersecurity best practices, processes must be documented, and systems must be resilient to basic threat actors.

Other practices that would be involved in qualifying for Level 2 are security awareness training for staff, risk assessment and management, and security continuity.

Level 3: Good Cyber Hygiene

In order to be compliant with Level 3, businesses must meet a further 58 requirements in addition to those in level 2. This is also the minimum required level of cyber hygiene for businesses who handle CUI.

Qualifications for Level 3 include coverage of all NIST 800-171 controls, multi-factor authentication, proper procedures for communicating threat information to stakeholders, and an Information Security Continuity Plan.

Level 4: Proactive

There are 26 proactive cyber practices in level 4 which protect CUI against Advanced Persistent Threats (APTs). In order to be fully compliant with level 4, a business must continually review the effectiveness of its procedures and proactively take corrective measures when necessary while ensuring that the findings of reviews are communicated with the relevant people.

Requirements for Level 4 include practices such as network segmentation, threat hunting, and Data Loss Prevention technologies.

Level 5: Advanced/Progressive

To qualify for Level 5, businesses must have highly advanced cybersecurity practices that are continually improved on an organizational scale. Your systems should be resilient to even the most advanced threat actors.

Some practices that your business will be expected to implement to achieve Level 5 cyber hygiene are cyber maneuver operations, autonomous initial response actions, and 24×7 SOC.

Can Businesses Still Self-Certify Under The New CMMC Regulations?

Under the new CMMC regulations, it will no longer be possible for businesses to self-certify like contractors were able to do before with NIST 800-171. In order to determine the certification levels of all DoD contractors, the DoD will be authorizing independent third-party auditors to begin assessing businesses seeking certification from the middle of 2020 onwards.

As you prepare for an audit to determine your level of CMMC, it is wise to work with a Managed Service Provider who is well-versed in the new CMMC regulations and DFARS compliance. A partner like Corsica Technologies will be able to help you attain the level of cybersecurity that your business will need in order to continue bidding on certain government contracts.

Not only will utilizing the services of a Managed Service Provider mean that you will be able to obtain the compliance levels necessary to ensure your business does not lose out on valuable contracts, but it will also serve to protect your business from the growing cybersecurity threats that are concerning for all business.

With an ever-growing risk from cybercriminals, there is an obvious risk to all businesses which could be very costly if the threat is not correctly managed and mitigated. This issue becomes considerably more significant when you also consider the dangers of a security breach while you are handling such complex and sensitive data.

For more information, check out Corsica Technologies’ guide on cyber requirements for DoD contractors.

Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

EDI Transactions and Document Types - Corsica Technologies

EDI Transactions: What It Takes To Win

EDI transactions are the lifeblood of processes like order placement, shipping, receiving, claims processing, and more. Across numerous industries, these transactions keep things moving in a way that no other technology can. In fact, you could say EDI solutions make

Read more
EDI 856 - Advance shipment notice - Corsica Technologies

EDI 856: Getting Your Advance Shipment Notices Right

Shipping and logistics get complicated when you have sensitive products and limited warehouse space. How do you ensure the warehouse is ready to receive a shipment—and ready to handle time-sensitive products appropriately? An EDI 856 document solves this problem. This

Read more
Cloud Data Integratoin: Power vs. ease of support - Corsica Technologies

Cloud Data Integration: Power vs Ease Of Support

It’s essential for cloud systems to talk to each other. If they don’t, data can become siloed, without widespread availability across the organization. But cloud systems introduce their own complexities that are different from on-premises systems. How do you choose

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.