Businesses that want to be one of the 300,000 companies that work with the Department of Defense (DoD) as a contractor, or a subcontractor will want to brush up on the fundamentals of .
Launched in 2020, with the following close behind in 2021, is required to demonstrate that a company meets the standards and cyber hygiene set by the DoD.
There have always been guidelines in place for best practices when working with the federal government. Prior to CMMC, DoD advised contractors to follow the National Institute of Standards and Technology’s 800-171 guide for safeguarding ( ).
However, ensuring that contractors followed these standards was a difficult endeavor at best. Compliance was more or less voluntary, and there was not a checks-and-balances system in place to ensure that all contractors and subcontractors were secure when it came to sensitive information.
The Value of for Your Business
This is where raises the bar, and the requirements are broken down into three distinct levels. The majority of contractors will need to achieve 1 requirements, and perhaps requirements to bid on (and win) , and the process for either is intricate and lengthy.
A solid first step to understanding CMMC (and how your company may be affected) is to connect with the Managed IT support experts at Emeritus for a check-up in Dallas, Texas. Our team of experts will identify any weak spots or areas with room for improvement.
When it comes to , and company executives will want to be familiar with the following guidelines.
In the version, there were five varying levels of certification. However, it was revised-in-2021 and CMMC 2.0 only has three different levels to tackle. These levels represent a set of practices, standards, and processes as set by the DoD, and the security requirements advance the higher you go.
The three are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Therefore, the level your organization must meet will depend on the sensitivity of the data and the project you are working with.
1, the foundational level, requires companies to undergo basic practices. It is outlined in the requirements under FAR 52.204-21.This has been in place for DoD contractors and subcontractors since 2016.
These requirements include limiting information system access to:
- authorized users only
- protecting organizational communications
- updating malicious code protection mechanisms
- routinely scanning for threats across all communications
These guidelines seem simple enough. For the most part, every company should have basic practices in place to protect their own data and resources, and their partners.
However, for smaller companies with limited resources or in-house , making sure that every aspect of is covered can be a challenge. Chances are, you use a myriad of networks, devices, and online communication methods throughout your company. All devices connected to the broader online world must be protected.
There is some good news for companies that need to achieve the CMMC Level 1 checklist. For one thing, companies may be able to perform these best practices in an ad hoc manner (without documenting the details). Additionally, companies can achieve and maintain Level 1 certification through an annual self-assessment.
What is ?
certification builds off the fundamentals of the but requires a little more effort and extra precautions companywide. A key difference is that Level 2 requires companies to document all the processes that drive their efforts to achieve . Therefore, this documentation must be thorough and easy to repeat and replicate.
Level 2 certification practices are classified as advanced or intermediate practices. Additionally, they are very similar to NIST SP 800-171 guidelines, with 110 practices to follow. Like 1, these practices are varied and broad, and cover measures such as:
- controlling access
- mitigating and managing risks of
- responding to incidents
- maintaining the integrity of information
- the company’s overall communication systems
certification is generally necessary for contractors and subcontractors connected to critical infrastructure. This includes businesses that may want to bid on contracts related to energy, water, communications, and transportation. These businesses require sensitive information, but not the top tier of classified information.
How to Determine the Differences Between and
The key way to determine if your company will need Level 1 or Level 2 is to consider the type of projects you want to work on as a contractor or subcontractor of the DoD.
Suppose the contract you are bidding on is miles outside the critical infrastructure or classified data realms (such as providing food or beverage services). In that case, it’s likely that only Level 1 certification will be necessary.
However, achieving higher levels of can provide a wealth of benefits. Not only does it open a company to more opportunities with the , but it also displays a strict adherence to the DoD’s guidelines when bidding on a contract.
How Can You Obtain a ?
is available via a third-party assessment in , which can take months to achieve. The smartest way forward is to team up with a expert like Emeritus. Our expert team can pave the way toward a smooth process.
Emeritus is a local business in , and we provide and throughout the USA. We’ll evaluate your current systems and protections in place. Additionally, we will help ensure that all of your bases are covered when it comes to 1, Level 2, or even Level 3 certification.
Discover the Value ofwith Emeritus
Most importantly, by performing a health check-up of your company’s interworking systems, you can protect your information and sensitive data from the crowds of who can turn a data breach into a costly emergency.
Don’t wait to get started on your.
Reach out to our team today. Let’s work together to open a new world of opportunities with the DoD and miles beyond.