Learn More About CMMC and NIST Compliance
Check out some of our technology and DOD cybersecurity articles.
Contact us
About SSE
SSE is a certified Women-Owned Small Business with over 30 years of experience in both the technology and training industries, serving commercial and government markets.
By this point, most, if not all, DoD contractors are aware they must comply with CMMC if they want to continue holding government contracts. But knowing which level your specific company requires can sometimes feel like a mystery.
Non-compliance with the standard can result in the loss of government contracts and legal and financial consequences. Therefore, it is essential to understand what CMMC level your company needs to achieve and take the necessary steps now to plan for and achieve this compliance.
What is the Difference Between CMMC levels?
Per CMMC 2.0, the CMMC standard has three levels representing different requirements for cybersecurity maturity. The higher the level, the more advanced and comprehensive cybersecurity measures must be in place.
The levels are as follows:
CMMC Level 1 consists of 17 controls and is based on FAR 52.204-21. These controls protect covered contractor information systems and limit access to only authorized users. The 54 page assessment guide is only applicable to companies that focus on protecting Federal Contract Information (FCI).
CMMC Level 2 consists of 110 controls (inclusive of Level 1), 320 assessment objectives, and a 270-page assessment guide that applies to companies working with Controlled Unclassified Information (CUI). It is based on DFARS 252.204.7012. This level in CMMC is now completely aligned with the 110 controls of NIST SP 800-171.
CMMC Level 3 focuses on reducing risk from Advanced Persistent Threats (APTs) and is designed for companies working with CUI on the DoD’s highest priority programs. Specific security requirements are still being determined by the DoD, but will most likely be based on the 110 controls of NIST SP 800-171 in addition to a subset of NIST SP 800-172 controls.
What Level of CMMC Do I Need for My Company?
The level of CMMC your company needs to achieve will depend on your scope, or the type of information your company handles and the type of government contracts you support.
The following questions will help you determine what level of CMMC you need:
If your company handles FCI, you must achieve at least CMMC Level 1.
If your company handles CUI, you must achieve at least CMMC Level 2 and…you are already subject to meeting the requirements of NIST 800-171.
If your company handles CUI related to national security systems or critical infrastructure, you will need to achieve CMMC Level 3.
What steps can I take to achieve CMMC compliance?
To achieve CMMC compliance, you will need to take several steps, including:
Feeling Overwhelmed by the CMMC Journey?
If tackling CMMC certification seems daunting, let the experts at SSE guide you through your journey. We are an accredited Registered Provider Organization (RPO) by the CYBER AB (formerly the CMMC Accreditation Body).
SSE has expertise in managing classified data and Controlled Unclassified Information (CUI) through evolving cybersecurity regulations for more than 12 years and has maintained our and our clients’ NIST 800-171 compliance since it became law in 2017.
Contact us about an initial and complimentary CMMC Readiness Assessment today!