Our Solutions
CMMC Level 1 & CMMC Level 2
CMMC Level 1
CMMC Level 1 is the essential cybersecurity foundation for any organization handling Federal Contract Information (FCI) in the Defense Industrial Base (DIB). This level emphasizes basic cyber hygiene with 17 security controls across six domains, including access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. Netbrio provides expert guidance and support to achieve CMMC Level 1 compliance, including gap assessments, remediation planning, policy development, and ongoing support. With Netbrio’s assistance, organizations can confidently protect FCI, meet DoD contract requirements, and establish a strong cybersecurity posture.
CMMC Level 2
CMMC Level 2 is a critical cybersecurity standard for any organization handling Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). This level builds upon the basic cyber hygiene of Level 1 and requires the implementation of all 110 security controls outlined in NIST SP 800-171. These controls cover 14 domains, including access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Netbrio offers expert guidance and support to navigate the complexities of CMMC Level 2 compliance, including gap assessments, remediation planning, policy development, and security awareness training. Partner with Netbrio to safeguard CUI, meet DoD contract requirements, and achieve a mature cybersecurity posture.
CMMC FAQs
How can organizations ensure ongoing compliance with CMMC Level 1 after certifcations?
Key Takeaways for CMMC Level 1 and CMMC Level 2 Success
- CMMC Level 1 prioritizes fundamental cyber hygiene.
- Compliance hinges on implementing and documenting 17 essential security practices.
- A systematic approach, including gap analysis, implementation, and ongoing monitoring, is crucial for achieving and maintaining compliance.
To ensure ongoing compliance after certification, organizations must remain vigilant. This involves:
Regular Network Monitoring: Continuously assess your network for vulnerabilities and unauthorized access attempts.
Data Security Updates: Keep all security protocols and software up-to-date to protect against evolving threats.
Employee Training: Regularly update training programs to reinforce the importance of security practices among staff.
Routine Audits: Conduct periodic audits to ensure all security measures are properly documented and executed.
By integrating these practices into your compliance strategy, your organization can maintain its certification and protect vital information assets effectively.
What should organizations focus on after achieving certification?
After certification, organizations should concentrate on maintaining robust network and data security measures to ensure ongoing protection.
What are the system and information integrity requirements for CMMC Level 1?
System and Information Integrity: Timely identification, reporting, and correction of information and system flaws.
Ensuring robust system and information integrity involves several key actions:
Identify and Address Flaws: Regularly identify, report, and correct any flaws in information and systems to maintain their integrity.
Protection from Malicious Code: Implement protective measures against malicious code at strategic points within your organization’s information systems. This ensures that vulnerabilities are minimized and the system remains secure.
Update Protection Mechanisms: Keep your malicious code protection mechanisms current by updating them whenever new releases are available. This proactive approach helps guard against emerging threats.
Perform Scans: Conduct periodic scans of the entire information system and real-time scans of files from external sources. These scans should occur as files are downloaded, opened, or executed to ensure ongoing security.
By adhering to these detailed requirements, organizations can effectively maintain the integrity and security of their information systems, meeting the standards necessary for compliance.
What are the system and communications protection requirements for CMMC Level 1?
System and Communications Protection: Monitoring, controlling, and protecting organizational communications (e.g., email, internet) and system access points is crucial. To ensure robust security, organizations must:
Monitor and Control Communications: Actively oversee and manage the flow of information transmitted or received by organizational information systems. This includes safeguarding communications at both the external boundaries, such as internet gateways, and key internal boundaries to prevent unauthorized access and data breaches.
Implement Subnetworks: Establish subnetworks for publicly accessible system components. These subnetworks should be either physically or logically separated from the internal networks, ensuring that any potential vulnerabilities in public-facing systems do not compromise the internal infrastructure.
By adhering to these requirements, organizations can enhance their system protection measures, ensuring a secure and resilient communication network.
What are the physical protection requirements for CMMC Level 1?
Physical Protection: Limiting physical access to systems and facilities.
To ensure the security of your organization’s information systems and equipment, it is essential to implement stringent physical protection measures. Here’s how you can achieve this:
Restrict Access: Limit physical access to your information systems, equipment, and operating environments to only those individuals who are authorized. This helps in safeguarding sensitive data from unauthorized personnel.
Visitor Management: Always escort visitors and closely monitor their activities. This reduces the risk of unauthorized access and ensures that visitors do not compromise security protocols.
Audit Log Maintenance: Keep comprehensive audit logs of all physical access devices. These logs are crucial for tracking access attempts and identifying any potential security breaches.
Access Device Control: Regularly control and manage physical access devices, ensuring they are functional and secure. This includes maintaining locks, key cards, and other security mechanisms to prevent unauthorized entry.
By integrating these practices, you can significantly enhance the physical security of your organization’s critical assets, aligning with the requirements for CMMC Level 1 compliance.
What are the 15 domains of CMMC 2.0 Level 2 compliance and their corresponding controls?
CMMC 2.0 Level 2 compliance is structured around 15 key domains, each featuring a specific number of controls that organizations must implement. Here’s a breakdown of these domains and their corresponding controls:
Access Control (AC): Critical for safeguarding who can access your systems, this domain includes 22 controls to regulate permissions and prevent unauthorized access.
Audit and Accountability (AU): This domain ensures that activities are monitored and recorded, with 9 controls dedicated to maintaining transparency and accountability.
Awareness and Training (AT): With 3 controls, this domain focuses on the importance of educating and training personnel about security practices.
Configuration Management (CM): Encompassing 9 controls, this domain involves maintaining and documenting secure configurations for systems and software.
Identification and Authentication (IA): Vital for verifying user identities, this domain includes 11 controls to ensure secure access.
Incident Response (IR): This domain prepares organizations to handle security incidents effectively with 3 controls that outline response plans and mitigation strategies.
Maintenance (MA): There are 6 controls in this domain aimed at managing and upkeeping secure hardware and software operations.
Media Protection (MP): Focusing on safeguarding data and media, this domain has 9 controls for handling and protecting sensitive information.
Personnel Security (PS): Comprised of 2 controls, this domain addresses the security policies for hiring and managing individuals with access to sensitive information.
Physical Protection (PE): With 6 controls, this domain is responsible for securing physical access to organizational facilities and assets.
Recovery (RE): Featuring 2 controls, this domain underlines the need for recovery plans to restore compromised systems and data.
Risk Management (RM): There are 3 controls that focus on identifying and managing risks to mitigate potential impacts on the organization.
Security Assessment (CA): This domain includes 4 controls that focus on evaluating security measures and ensuring they are effectively implemented.
System and Communications Protection (SC): Aimed at safeguarding information transmission, this domain includes 16 controls addressing the security of communication systems.
System and Information Integrity (SI): Consisting of 7 controls, this domain ensures systems can quickly detect and correct information security threats.
Each domain plays a critical role in ensuring comprehensive cybersecurity measures to protect systems and data.
What checklist can help organizations prepare for CMMC Level 2 compliance?
CMMC Level 2 Compliance Preparation Checklist
Preparing your organization for CMMC Level 2 compliance involves a focused approach to strengthening cybersecurity measures. Here’s a streamlined checklist to guide your journey:
Understand the Framework: Begin by exploring the 110 requirements distributed across 14 distinct domains of CMMC Level 2. Comprehensive knowledge of these areas is crucial.
Conduct a Gap Analysis: Carry out an in-depth analysis to determine where your current cybersecurity practices fall short in meeting these standards.
Remediation Planning: Design a practical plan to address identified gaps. This involves implementing the necessary controls required for compliance.
Resource Allocation: Ensure you have the necessary budget and personnel in place to support these initiatives effectively.
Staff Training: Educate your team on specific CMMC requirements and general cybersecurity best practices to ensure everyone is aligned with new protocols.
Develop Documentation: Create the necessary policies, procedures, and documentation that will underpin your compliance efforts.
Ongoing Review and Updates: Regularly evaluate and update your cybersecurity practices to adapt to new threats and maintain compliance.
Seek Expert Guidance: Collaborate with experienced CMMC consultants or C3PAOs for valuable advice and to aid your assessment process.
Self-Assessment: Conduct a thorough self-assessment to evaluate your readiness systematically before the formal CMMC audit.
Schedule an Assessment: Finally, plan an official CMMC assessment with an accredited C3PAO to confirm that your organization meets all compliance requirements.
By following this checklist, organizations can systematically enhance their cybersecurity measures and successfully prepare for a CMMC Level 2 audit.
Who provides CMMC certifications?
CMMC Certifications Awarded by Accredited Third-Party Assessors
For organizations seeking Cybersecurity Maturity Model Certification (CMMC), the official certification is not provided directly by the Department of Defense (DoD). Instead, CMMC certifications are awarded by accredited CMMC Third-Party Assessment Organizations (C3PAOs).
These C3PAOs are private companies that have been authorized by the Cyber AB (formerly the CMMC Accreditation Body) to conduct CMMC assessments. The Cyber AB is the sole authorized accreditation and certification partner of the DoD for the CMMC program. It is responsible for accrediting and overseeing the C3PAOs to ensure they meet the rigorous standards required to perform assessments.
What is a passing CMMC score?
Navigating the Cybersecurity Maturity Model Certification (CMMC) program requires a clear understanding of its scoring, which varies significantly across its three levels. A “passing” score is not a single numerical value but rather a status achieved by meeting specific criteria, which can include a perfect score for some levels or a conditional pass with a time-bound remediation plan for others.
CMMC Level 1: Foundational Cyber Hygiene
For CMMC Level 1, the concept of a numerical score does not apply. To achieve a “passing” status, an organization must successfully implement all 15 of the basic safeguarding requirements outlined in FAR 52.204-21. Assessments at this level are conducted annually as self-assessments. Crucially, the use of a Plan of Action and Milestones (POA&M) to address deficiencies is not permitted for Level 1. Therefore, a passing status is binary: either all controls are met, or the organization is not compliant.
CMMC Level 2: Advanced Cyber Hygiene
CMMC Level 2 aligns with the 110 security controls of NIST SP 800-171 and introduces a more complex scoring system. The maximum achievable score is 110, with each control having a specific point value. Points are deducted for any unimplemented controls, with the deduction ranging from one to five points depending on the control’s significance.
There are two primary “passing” statuses for Level 2:
Conditional Certification: An organization can achieve a Conditional Certification with a minimum score of 88 out of 110. This allows for a limited number of unmet controls to be placed on a POA&M. However, these deficiencies must be fully remediated within 180 days of the assessment. This conditional status allows organizations to bid on and be awarded contracts while they finalize their cybersecurity posture.
Final Certification: To obtain a Final Certification for CMMC Level 2, an organization must achieve a perfect score of 110, demonstrating that all 110 controls from NIST SP 800-171 are fully implemented. This certification is valid for three years.
It is important to note that certain critical controls may not be eligible for a POA&M, meaning they must be fully implemented to achieve even a Conditional Certification, regardless of the overall score.
CMMC Level 3: Expert Cyber Hygiene
Progression to CMMC Level 3 requires an organization to first have a Final CMMC Level 2 certification, meaning they have already achieved a perfect score of 110 on the NIST SP 800-171 controls. Level 3 then introduces an additional 24 security requirements based on NIST SP 800-172.
The scoring for these additional controls is not weighted in the same manner as Level 2. Instead, each of the 24 requirements is worth one point. A “passing” score for Level 3 also has two tiers:
Conditional Certification: An organization can receive a Conditional Certification at Level 3 if it has met at least 20 of the 24 additional requirements, resulting in a minimum score of 80 on this subset of controls. The remaining unmet controls must be addressed through a POA&M within 180 days.
Final Certification: A Final Certification at Level 3 is awarded when all 24 additional security requirements are met. This certification is also valid for three years.
In conclusion, the “passing” score for CMMC is not a one-size-fits-all answer. It is a tiered system that reflects the increasing levels of cybersecurity maturity, with the ultimate goal being the full implementation of all required controls for the desired certification level. The allowance for conditional certification with a POA&M provides a pathway for organizations to achieve compliance while actively working to close any remaining security gaps.
Can you self-certify for CMMC?
Yes, organizations can self-certify for some levels of the Cybersecurity Maturity Model Certification (CMMC), but it is not an option for all. The ability to self-certify, more accurately termed a “self-assessment,” depends on the CMMC level an organization is required to meet based on the sensitivity of the information it handles.
Here’s a breakdown of the certification requirements for each CMMC 2.0 level:
CMMC Level 1: Organizations at this foundational level are permitted to conduct an annual self-assessment of their cybersecurity practices. This involves ensuring that all 15 of the basic safeguarding requirements are met. Following the self-assessment, a senior official from the company must formally affirm compliance with the Department of Defense (DoD).
CMMC Level 2: This level has a bifurcated approach to certification. A subset of organizations at Level 2, specifically those that do not handle information critical to national security, are allowed to perform an annual self-assessment and affirmation. However, for companies that handle more sensitive Controlled Unclassified Information (CUI), a triennial third-party assessment conducted by an authorized CMMC Third-Party Assessment Organization (C3PAO) is required. The specific requirements will be outlined in the contract language.
CMMC Level 3: For organizations requiring the highest level of cybersecurity, self-certification is not an option. CMMC Level 3 mandates a triennial assessment led by government officials from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This stringent requirement reflects the critical nature of the information handled by these organizations.
How much does it cost to get CMMC certified?
For defense contractors, achieving Cybersecurity Maturity Model Certification (CMMC) is a critical step to securing and maintaining Department of Defense (DoD) contracts. However, the cost of certification is a significant consideration, with expenses varying widely based on a company’s current cybersecurity posture, the required CMMC level, and the complexity of its IT environment. There is no simple price tag for CMMC certification; rather, the total investment is a sum of several key components.
Understanding the Key Cost Drivers
The journey to CMMC certification involves more than just the final assessment. Businesses must budget for a multi-faceted process that includes:
Readiness and Pre-Assessment: This initial phase is crucial for understanding an organization’s current cybersecurity gaps. Costs here can include hiring a third-party consultant to conduct a gap analysis, which can range from a few thousand dollars to upwards of $20,000, depending on the company’s size and complexity. This phase also involves developing a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M).
Remediation and Implementation: This is often the most significant cost component. It involves addressing the deficiencies identified in the readiness assessment. Expenses can range from implementing multi-factor authentication and endpoint protection to more substantial investments in network segmentation, advanced email security, and secure cloud environments. Remediation costs can vary from a few thousand dollars for minor adjustments to well over $100,000 for organizations with significant security gaps.
The Official Assessment: For CMMC Levels 2 and 3, a formal assessment by an accredited third-party or a government entity is required. The cost of these assessments is becoming more defined as the CMMC rollout progresses.
Ongoing Maintenance and Compliance: CMMC is not a one-time event. Companies must continuously monitor their systems, manage vulnerabilities, and maintain their security posture. These ongoing costs include software subscriptions, managed security services, and periodic internal and external audits.
Estimated Costs by CMMC Level
CMMC Level 1 (Foundational): This level requires an annual self-assessment. While there is no direct cost for a third-party audit, companies will still incur expenses related to:
Internal labor for conducting the self-assessment and preparing documentation.
Basic security tools and potential minor IT upgrades to meet the 15 security requirements.
Optional consulting support to ensure proper implementation and documentation.
For a small business, the total cost for Level 1 compliance can range from a few thousand dollars to around $10,000, assuming a relatively mature starting point.
CMMC Level 2 (Advanced): This is where costs begin to escalate, as it requires a triennial third-party assessment for most contractors handling Controlled Unclassified Information (CUI).
Readiness and Remediation: This is the most variable cost for Level 2. Organizations may need to implement the 110 security controls from NIST SP 800-171, which can be a substantial undertaking. Costs can range from $50,000 to over $150,000 for consulting, technology, and training.
C3PAO Assessment: The cost for the formal assessment by a CMMC Third-Party Assessment Organization (C3PAO) is estimated to be in the range of $30,000 to $60,000, although this can fluctuate based on the scope and complexity of the assessment. The DoD has provided its own estimates for the triennial assessment, projecting around $105,000 for a small entity and $118,000 for a larger one, which also includes the cost of two annual affirmations.
CMMC Level 3 (Expert): As the highest level of CMMC, Level 3 is reserved for companies handling the most sensitive CUI. The costs associated with this level are significant.
Prerequisites: An organization must first achieve a perfect score on a CMMC Level 2 assessment.
Advanced Controls: Level 3 includes an additional 24 controls from NIST SP 800-172, which involve more sophisticated security measures. The implementation and engineering costs for these controls can run into the hundreds of thousands of dollars.
Government-Led Assessment: The assessment for Level 3 is conducted by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). While the direct cost of the government assessment itself may be lower than a C3PAO assessment, the preparation and remediation costs to meet the stringent requirements will be substantial. The DoD’s own estimates for the non-recurring engineering costs (initial implementation) for Level 3 can reach into the millions of dollars.
What level of CMMC do I need?
Determining the specific Cybersecurity Maturity Model Certification (CMMC) level your organization needs is a critical question for any company operating in the Defense Industrial Base (DIB). The answer is not a matter of choice but is dictated directly by the Department of Defense (DoD) and depends entirely on the type of information you will handle or create as part of a contract.
The Deciding Factor: The Data You Handle
The CMMC framework is designed to protect sensitive government information. The level of certification required corresponds directly to the sensitivity of that information. Here is a breakdown of how the levels are generally applied:
CMMC Level 1 (Foundational): If your company only handles Federal Contract Information (FCI), you will be required to meet CMMC Level 1. FCI is information not intended for public release that is provided by or generated for the government under a contract. Many subcontractors who do not handle more sensitive data will fall into this category.
CMMC Level 2 (Advanced): If your company will process, store, or transmit Controlled Unclassified Information (CUI), you will be required to meet at least CMMC Level 2. CUI is information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. The majority of prime contractors and many subcontractors who handle CUI will need to achieve this level.
CMMC Level 3 (Expert): This level is required for companies that handle CUI associated with the DoD’s most critical programs and technologies. If your contract involves information that has a direct link to national security or is part of a high-priority program, the DoD will mandate compliance with CMMC Level 3 to protect against threats from Advanced Persistent Threats (APTs).
How to Find Your Required Level
Ultimately, your required CMMC level will be explicitly stated in the government’s solicitation or contract documents. You can find this information in sections L (Instructions to Offerors) and M (Evaluation Factors for Award) of a Request for Proposal (RFP) or a Request for Information (RFI).
As the CMMC program continues its phased rollout, new contracts will begin to include these specific requirements. Therefore, the definitive steps to determine your required CMMC level are:
Review Your Contracts: Scrutinize all current and potential contracts and solicitations for clauses that specify a required CMMC level.
Analyze the Information: Understand the type of data you receive from, or create for, the government. If you handle any CUI, you will need at least Level
Communicate with Your Prime Contractor: If you are a subcontractor, your prime contractor will flow down the CMMC requirements to you based on the information you will be handling for the project.
In summary, the DoD dictates the necessary CMMC level on a contract-by-contract basis. Your organization must analyze the information it handles and look for the specific CMMC requirements outlined in DoD solicitations to determine the exact level of certification you need to achieve.