Although the practices and protocols for CMMC compliance have not yet been completely rolled out, there are still a few things you can do now to ensure that you’ll be ready when they do. Perhaps the easiest and best step you can take is to enlist the help of a qualified compliance agency and have them perform a preemptive CMMC audit on your behalf.
This can help you see where your organization currently sits and determine which steps you must take to get up to CMMC standards. Understanding the five levels of CMMC compliance can also help you prepare for what is to come when the system is rolled out in full.
Level 1
Level 1 is the lowest level within the CMMC framework, but it still entails significant security practices that will be required by federal law for those working who may eventually work with Controlled Unclassified Information (CUI). Level one is considered basic, though it still requires 17 different security practices to ensure that organizational data is kept safe on unclassified networks.
Level 1 is mostly focused on protecting Federal Contract Information (FCI), or information that is not supposed to be available to the public. Many organizations that handle somewhat sensitive information will find themselves here.
Level 2
Level 2 is considered an intermediate level of security, and it has a total of 72 security practices that are required. One such requirement is that Level 2 organizations must document their processes and efforts to implement CMMC practices.
This level is viewed as a transitional stage from Level 1 to Level 3, and many of its requirements align with NIST SP 800-171. Organizations that handle slightly more sensitive information than Level 1 organizations are likely to be placed at Level 2.
Level 3
Level 3 ups the security ante, as it is considered a “good” level of security and a “managed” process. This means that organizations are required to create and maintain their plan to remain CMMC compliant, and they must also demonstrate how they manage these activities. These plans should include comprehensive implementation plans, resources to support it, training for employees, and overall goals of their efforts.
Level 3 has a total of 130 required security practices, and its requirements align with those of NIST SP 800-171 along with a few extras. To prepare for Level 3, it is recommended to ensure that you have your NIST SP 900-171 documentation ready to go as soon as possible.
The vast majority of organizations will fall at Level 3 or below, so this is a safe starting point for most entities that must have CMMC compliance in the future.
Level 4
Level 4 is labeled a proactive and reviewed process with 156 required security protocols. Level 4 aims to keep CUI and Advanced Threat Protection (ATP) at the forefront. Level 4 also comes with the requirement of managed processes in addition to the expectation that they will continuously monitor their security situation and correct errors when they are detected.
Level 5
Level 5 is the highest level possible for CMMC certifications, and it entails advanced and optimized protocols and procedures. Level 5 includes a whopping 171 required security practices, and it expects organizations to create standardized processes that are implemented across the entire organization.
Like Level 4, Level 5 is focused on keeping CUI safe from ATPs, though it has even more in-depth cybersecurity requirements and practices. Level 5 CMMC compliance is reserved only for organizations that handle the most sensitive and CUI.
When the time comes for your organization to begin the process toward CMMC certification, being equipped with as much knowledge as possible can only help you with the transition.