CMMC Certification: How to Prepare for DoD Compliance

The CMMC is a security framework that requires DoD contractors to maintain a uniform set of cybersecurity standards to bid on contracts and, more importantly, access DoD systems. The DoD created the CMMC certification framework to better enforce security controls laid out in NIST SP-800-171.

Note: The CMMC framework has undergone a major overhaul. The most recent version, often called "CMMC 2.0," streamlines the certification levels and clarifies the requirements. The DoD released this updated version to reduce the burden on small and medium-sized businesses while maintaining robust cybersecurity practices.

Here, we'll cover the CMMC certification levels, their differences, and the controls at each level.

What are the CMMC Levels?

CMMC 2.0 now has three levels (reduced from five). The new version eliminates some requirements from the original framework and focuses more on self-assessments at the lower levels, with third-party assessments required at higher levels. Let's explore the requirements and focus for each level. 

Level 1: Basic Cyber Hygiene 

Level 1 is designed for organizations that handle only Federal Contract Information (FCI). They must comply with the procedures outlined in Federal Acquisition Regulation (FAR) 52.204-21.

The primary focus of this level is basic cyber hygiene practices, like using strong passwords, limiting system access to authorized users, and ensuring the secure handling of information. This level is primarily about meeting basic security practices that many companies already follow.

Level 2: Advanced Cyber Hygiene

Level 2 is for organizations that work with Controlled Unclassified Information (CUI). To achieve Level 2 certification, organizations must comply with the 110 security controls outlined in the NIST SP 800-171 standard.

The controls cover domains like access control, incident response, and system security. These controls are designed to protect CUI from unauthorized access and require more robust cybersecurity measures than Level 1. This level serves as an intermediary step towards the highest level of security and is closely related to the requirements in NIST SP 800-171.

Level 3: Expert Cyber Hygiene

Level 3 is for organizations that handle CUI and will likely face Advanced Persistent Threats (APTs). At this level, organizations must comply with the enhanced security requirements specified in NIST SP 800-172 and the controls from NIST SP 800-171.

Level 3 is the highest level of the CMMC framework and is for organizations subject to more advanced cyber threats. The additional controls include monitoring for insider threats, advanced encryption methods, and monitoring and response capabilities. This level requires the most comprehensive cybersecurity practices to protect against external and internal threats.

What are the Differences Between the CMMC Certification Levels?

The main differences between the CMMC certification levels are mostly in what level of cyber security features are required. Level 1 focuses on basic cyber hygiene and requires practices to be performed but not necessarily documented. CMMC Level 2 requires meeting the requirements in NIST SP 800-171, and requires documented practices to protect Controlled Unclassified Information (CUI). 

CMMC Level 3 is the most stringent and is designed to counter Advanced Persistent Threats (APTs) with highly sophisticated cybersecurity practices. It also requires continuous monitoring and well-defined practices to respond to threats. Each level builds on the previous one, with increasing requirements for documentation, consistency, and threat protection.

This chart outlines the specific differences between the three CMMC levels: 

What are the CMMC Domains?

The CMMC framework is organized into several domains that cover different aspects of cybersecurity practices. Each domain represents a key area of cybersecurity focus. As of CMMC 2.0, the framework has streamlined its structure, but the core domains remain relevant. Here are the CMMC domains:

1. Access Control (AC): Ensures only authorized users and devices can access systems and data.

2. Asset Management (AM): Focuses on the identification, management, and protection of assets (e.g., hardware, software, and data) in an organization.

3. Audit and Accountability (AU): Ensures users' and systems' actions are traceable to improve accountability and detect potential issues faster. 

4. Awareness and Training (AT): Emphasizes the importance of cybersecurity training and awareness for all personnel.

5. Configuration Management (CM): Involves managing and controlling the configuration of systems to maintain security and integrity.

6. Identification and Authentication (IA): Ensures systems properly authenticate users and devices before granting access.

7. Incident Response (IR): Focuses on the capability to respond to cybersecurity incidents effectively.

8. Maintenance (MA): Involves regular maintenance of systems and networks to ensure their secure operation.

9. Media Protection (MP): Ensures physical and digital media are protected from unauthorized access and damage.

10. Personnel Security (PS): Addresses the security of personnel, including background checks and clearance levels.

11. Physical Protection (PE): Ensures that physical access to systems and facilities is controlled and monitored.

12. Recovery (RE): Ensures that systems can recover from incidents or failures with minimal disruption.

13. Risk Management (RM): Involves identifying, assessing, and mitigating risks to the organization’s cybersecurity.

14. Security Assessment (CA): Covers the evaluation and assessment of the effectiveness of security controls.

15. Situational Awareness (SA): Maintaining awareness of the cybersecurity environment and emerging threats.

16. Systems and Communications Protection (SC): Ensures systems and communications are protected from unauthorized access and threats.

17. System and Information Integrity (SI): This domain focuses on ensuring that systems and data maintain their integrity and are protected from corruption or tampering.

How to Prepare for DoD CMMC Compliance

If you want to pass a CMMC audit, the first step is to understand the specific control mechanisms that CMMC assessors evaluate at each certification level. As the CMMC framework has evolved, the requirements have become more streamlined, but the core focus remains on adhering to the cybersecurity standards that protect both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Here are a few more tips to prepare for DoD CMMC compliance: 

• Familiarize Yourself with NIST Standards: The CMMC is closely aligned with the controls outlined in NIST SP 800-171 and NIST SP 800-172 for the higher levels of certification. Review these standards thoroughly, as they form the backbone of the CMMC requirements, particularly for Levels 2 and 3.

• Prepare for the Audit: NIST SP 800-171A is widely recognized as a practical tool for conducting self-assessments and preparing for third-party evaluations. Use this guide to assess your current cybersecurity posture and identify gaps.

• Understand Domain Codes and Control Mechanisms: Each control mechanism within the CMMC framework is associated with a specific domain and level, which we listed above. This coding system helps you track and manage the various requirements within your organization.

How to Pass the CMMC Audit

CMMC certification requirements are detailed, but the way they're divided between different levels achieves an appropriate balance. Knowing the philosophy behind the CMMC-level requirements should help frame the specific control mechanisms you need to adopt. It'll also provide more insight into what you can expect from CMMC auditor requirements when it's your turn to be evaluated.

To increase your chances of passing a CMMC audit, don't just look at the tasks you must fulfill. Read through the ones at higher CMMC levels to gain a sense of context, and consider adopting more advanced security measures as soon as possible.

Looking to learn more about IT security? Check out the CBT Nuggets training for CompTIA Security +.