Cybersecurity Maturity Model Certification (CMMC) is a requirement for all organizations within the supply chain to the United States Department of Defense (DoD), including prime contractors, sub-contractors, and sub-tier suppliers. CMMC ensures that an organization has achieved the minimum threshold of cybersecurity necessary to be entrusted with the types of information they receive or handle. CMMC is like the NIST800-171 but is performed by a certified external company.
NIST 800-171 is a federally mandated requirement for non-federal businesses conducting business with the federal government. It is required if you deal with Controlled Unclassified Information (CUI) or perform services on systems that provide CUI.
DoD Contractors will be required to meet a specific CMMC level to submit proposals for new DoD contracts. You can beat the rush before the time comes. We will help you become CMMC Level 1 – 3 pre-compliant now. Then become CMMC compliant before it is required.
Total Cyber’s NIST 800-171 solution prepares businesses for self-certification as well as CMMC 2.0 verification.
Level 1 - "Basic Cyber Hygiene"
The DoD contractor will need to implement 17 controls of NIST 800-171 rev1.
Level 1 of CMMC addresses the protection of Federal Contract Information (FCI) and encompasses the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) Clause 52.204-21, which defines FCI as:
(Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.)
Level 2 - "Intermediate Cyber Hygiene"
In order to pass an audit for this level, the DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus 7 new “Other” controls.
Criteria for CMMC Level 2
CMMC Level 2 is a transitional level. At Level 2, a contractor is not yet approved for CUI. CMMC Level 2 practices and processes provide additional safeguarding above CMMC Level 1 and help to prepare a contractor to handle CUI at CMMC Level 3.
Level 3 - "Good Cyber Hygiene"
The DoD contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 13 new “Other” controls.
CMMC Level 3 addresses the protection of Controlled Unclassified Information (CUI), which the National Archives and Record Administration (NARA) defines as:
Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.
Level 4 – “Proactive”
The DoD contractor will need to implement 11 controls of NIST 800-171 RevB plus 15 new “Other” controls
Level 5 – “Advanced / Progressive”
The DoD contractor will need to implement the final 4 controls in NIST 800-171 RevB. plus 11 new “Other” controls.