Time is ticking on adopting the security postures required by the Cybersecurity Maturity Model Certification (CMMC). We realize that the requirements can feel overwhelming, but like most problems, they can be broken down into parts. And it just so happens that CMMC is divided into five levels, each tier building upon the previous one. The more of these levels your organization achieves, the better you will look when vying for a DoD contract. Here’s a closer look at what they are.
CMMC: Level 1 – Basic Cyber Hygiene
While Level 1 of CMMC may be considered “basic” cyber hygiene, it’s comprised of 35 practices as of the latest CMMC revision (and at the time of writing this article). This covers everything from things like password strength to locking the door to your office when you leave for the day.
CMMC: Level 2 – Intermediate Cyber Hygiene
While considered more of a stepping stone for protecting CUI, most companies — particularly those with managed service providers handling their basic IT — are mostly there already. There should be little to no extra costs for a company to reach Level 2. This is yet another example of why having an MSSP can be invaluable throughout this process. At the time of writing, Level 2 contains 115 practices.
CMMC: Level 3 – Good Cyber Hygiene
One of the major differences between CMMC Level 2 and CMMC Level 3 is on-going security management. Just because an organization has purchased security solutions, that doesn’t necessarily mean they are properly in place or correctly implemented. There are 91 practices to adopt in Level 3. If an organization handling CUI has the practices of CMMC Level 3 in place at all times, they become a difficult target for malicious actors.
CMMC: Level 4 – Proactive
“Proactive” is exactly what it sounds like. At CMMC Level 4, an organization has a substantial and proactive cybersecurity program. The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures, or TTPs, in use by APTs. For process maturity, a CMMC Level 4 organization is expected to review and document activities for effectiveness and inform high-level management of any issues. In total, Level 4 contains 95 practices.
CMMC: Level 5 – Advanced / Progressive
CMMC Level 5 is all about standardizing and optimizing. It mainly focuses on the protection of CUI from APTs. The 34 additional practices that make up Level 5 increase the depth and sophistication of cybersecurity capabilities and include the need for subject matter experts.
While the DoD is not asking small to medium size businesses to implement Fort Knox’s level of security, they are requiring adequate security and good cyber hygiene. That’s what the Cybersecurity Maturity Model Certification is all about. And that’s exactly why you should turn to the experts for help in adopting it. That’s where we come in.
Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Concentrate on your VISION…We’ll handle the TECHNOLOGY!