CMMC is a cybersecurity program instituted by the Department of Defense (DoD) that was designed to ensure that there is a minimum level of security in place for DoD contractors’ networks. This minimum level of security is focused around ensuring confidentiality, and specifically the confidentiality of Controlled Unclassified Information (CUI).
The security controls required to be implemented for CMMC are defined within National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
CMMC will ultimately be required for all contractors doing business with the DoD. This includes prime contractors, subcontractors and their partners – any party that is handling any type of CUI Controlled Defense Information (CDI) or Federal Contact Information (FCI). Contractors will be required to meet one of the three CMMC certification levels, and prove that security controls have been implemented via independent assessors. Ultimately, new contract awards and ongoing contract continuance will require CMMC compliance.
CMMC defines 3 different levels of compliance depending on the type of information contractors are handling.
Level 1 – Foundational
Includes basic cybersecurity control mechanisms generally suitable for smaller companies. Companies certified at this level are not expected to have mature processes in places. This level requires 17 controls, an annual self-assessment and sign off by executive management.
Level 2 – Advanced
Requires implementation of 110 controls from NIST 800-171. The expectation is that organization have mature processes that are in place and are consistently followed. Independent assessment is required for organization that have a requisite to adhere to CMMC Level 2.
Level 3 – Expert
Requires the implementation of 130 controls from NIST 800-171 & NIST 800-172. The expectation is that all processes are highly mature and continually improved. Independent assessment is required for organizations that have a requisite to adhere to CMMC Level 3.
GAI Cyber is a Registered Provider Organization (RPO) and our team consists of certified Registered Practitioners (RP) that have been accredited by the CMMC-AB (CMMC Accreditation Body). We are certified to provide consultative services for organizations seeking CMMC accreditation and have assisted organizations with NIST 800-171 implementations since 2015. Our team will determine what CMMC compliance requirements apply to your organization – don’t put your government contracts and partners in jeopardy.