As you begin to do your research on reaching CMMC guidelines, one of the first questions you’re likely trying to answer is what level your company needs to meet. It’s one of the first questions asked, and rightfully so; once you know what CMMC level you need to meet to reach compliance, all you have to do is begin implementing the controls and guidelines to reach compliance.
The Cybersecurity Maturity Model Certification is a new DoD Cybersecurity Compliance requirement all DoD Contractors must achieve. The CMMC is designed to increase the protection of important (but not classified) DoD information called Controlled Unclassified Information (CUI).
- It protects Controlled Unclassified Information (CUI) & Federal Contractor Information (FCI)
The CMMC maturity level a company must meet depends upon the sensitivity of the DoD information it will work with on a contract, and attempts to mitigate the possible cyber threats associated with storing and sharing that data; therefore, the more important the CUI, the higher the CMMC Level accreditation will be required.
Note: Level 1 acts as the foundation for all other levels and must be completed by all certified organizations. This includes both primary contractors and subcontractors.
Does your company receive, process, or create CUI (Controlled Unclassified Information)? If so – your organization will need to be Level 3 or above.
Does your company handle “High Value Assets (HVA) CUI”? If so – your organization will need to be a Level 4 or 5.
If your company does not apply to either of the previous statements above, you will likely only be required to meet Levels 1 & 2.
Future RFPs (Request for Proposals) will declare what CMMC level is required for the contract. Also, contact your Program Managers – they are a good reference to begin understanding what CMMC Level your organization may require. CMMC certifications will be valid for three years for Levels 1-3.
Do you still have questions on your journey to compliance? Read our article here for more background information on CMMC, as well as this article here for information on the Delta20.