Understanding CMMC Compliance

Q: What are the five levels of CMMC for the Department of Defense (DOD)?

Level 1, “Basic Cyber Hygiene”: This is the minimal standard for every DOD contractor. Contractors who wish to pass an audit at this level must implement 17 controls of NIST 800-171 Rev1. Level 2, “Intermediate Cyber Hygiene”: Here, DOD contractors implement another 48 controls of the National Institute of Standards and Technology (NIST) Rev1 in addition to seven other controls. Level 3, “Good Cyber Hygiene”: To achieve this level, the final 45 rules of NIST Rev1 plus 13 other controls must be met. Level 4, “Proactive” cybersecurity: In addition to satisfying NIST Rev1, contractors must also satisfy 11 controls of NIST 800-171 Rev2 as well as 15 other controls. Level 5, “Advanced / Progressive” cybersecurity: To achieve the highest level, DOD contractors must implement the final controls of NIST Rev2 plus 11 other controls.

If you’re somewhat new to aerospace manufacturing, you might wonder what Cybersecurity Maturity Model Certification (CMMC) has to do with engineering and manufacturing. After all, what does cybersecurity have to do with aerospace? But it is important to know the U.S. Department of Defense will soon make the certification a requirement for any defense contractor who currently is or wants to work with the DOD.

CMMC is a unified standard for implementing cybersecurity across the defense industrial base, which includes more than 300,000 companies in the supply chain. These CMMC standards are the DOD’s response to significant compromises of sensitive information located in its contractors’ information systems. In other words, the government wants to make sure data isn’t vulnerable due to suboptimal standards on the part of vendors and contractors.

In the past, contractors were responsible for implementing, monitoring and certifying the security standards of their own disparate systems. CMMC was drafted with input from university affiliated research centers, federally funded research and development centers, and the industry itself. While under the new standards, contractors are still responsible for implementing the cybersecurity standards. The CMMC adds the requirement for third-party assessments of contractors’ compliance with practices, procedures and capability to adapt to evolving threats.

The DOD framework outlines five levels of certification. Each level builds upon the ones below it: Level 3 certification, for example, includes the requirements for both levels 1 and 2. Below is a brief explanation of each level:

Level 1 – “Basic Cyber Hygiene”: This is the minimal standard for every DOD contractor. Contractors who wish to pass an audit at this level must implement 17 controls of NIST 800-171 Rev1.

Level 2 - “Intermediate Cyber Hygiene”: Here, DOD contractors implement another 48 controls of the National Institute of Standards and Technology (NIST) Rev1 in addition to seven other controls.

Level 3 - “Good Cyber Hygiene”: To achieve this level, the final 45 rules of NIST Rev1 plus 13 other controls must be met.

Level 4 - “Proactive” cybersecurity: In addition to satisfying NIST Rev1, contractors must also satisfy 11 controls of NIST 800-171 Rev2 as well as 15 other controls.

Level 5 – “Advanced / Progressive” cybersecurity: To achieve the highest level, DOD contractors must implement the final controls of NIST Rev2 plus 11 other controls.

Additionally, to achieve each certification level, contractors and vendors must meet requirements for practices and processes associated with their level across 43 different capabilities spanning 17 capability domains.

CMMC will soon be a minimum requirement to be eligible for DOD contract awards, but contractors should never view their cybersecurity compliance as an accomplished mission once a certification is earned. The DOD has emphasized that the certification is a starting point for transforming contractors’ internal cybersecurity culture and that the industry must focus on preparing their systems to be agile in a constantly evolving world of cyber threats.