What are the CMMC (Cyber Security Maturity Model Certification) Levels

What are the CMMC (Cyber Security Maturity Model Certification) Levels

There has been much talk about the CMMC (Cybersecurity Maturity Model Certification) Program. Let’s take a minute to understand the levels of compliance that you may have to meet. 

There are 17 Domains that are spread over 5 levels of the maturity categories.  The Maturity Model is divided into 5 escalating categories. Many contractors will fall into level 1. However, if your organization stores, processes, or transmits any CUI (Controlled Unclassified Information) then you will need to be at level 3.  This seems to be the target that most are trying to hit.  

Source CMMC AB site

The CMMC program will be worked into contract language over the next 5 years and is designed to eventually be integrated into all DoD (Department of Defense) contracts.  

Special Notes for manufacturers or suppliers of Commercially off The Shelf (COTS) Products.  An example of this may be a nut or a bolt that you are supplying within a contract, may not rise to the level of CUI: (not sure what you are saying in this example, may want to consider rewording it)

Ask yourself:

  • Are there any CUI or export control labels?
  • Are there any augmentation to the nuts or bolts that are asked of you in the contract?
  • Are there any technical drawings that were sent?

If any of these are yes, you may fall under level 3 of CMMC compliance.  If all of these are no, you could be at level 1 or even none in rare cases. 

If you receive any of the following you may be at level 3: (this list is not complete) 

  • Marked CUI data
  • FOUO (For Official use Only), ITAR (International Traffic in Arms Regulations, EAR (Export Administration Regulations) or export controlled markings
  • CDI (Covered Defense Information) markings
  • Any work product directly supporting the government deliverable. Ex: a formula for a coating for a widget that was contracted for you to develop. (this does not normally include your corporate system support output that was used in the delivery of the contracted product) 
  • For more details visit the NARA (National Archives and Records Administration) website www.archives.gov/cui/about  

Some have asked where Managed IT Service Providers like F1 Solutions might fall into the CMMC framework. As of right now I am hearing two different answers. The first is, at the level of what our clients are processing and what we have access to.  The second is Level 2 for IT companies.  I will provide more clarity as I get it.  

Please let us know if we can be of any help navigating through these CMMC levels.

F1 Solutions: https://www.f1networks.com/

Jennifer VanderWier/CISO

Need help finding ways to reduce business costs? Our FREE eBook has the answer.Learn more here