| Justin Hensley
Understanding the Three Levels of CMMC
In today’s cybersecurity landscape, the updated Cybersecurity Maturity Model Certification (CMMC) has streamlined its structure to three levels of compliance. This adjustment emphasizes clarity and scalability for organizations within the Defense Industrial Base (DIB). Each level is designed to align with the complexity of information being protected, ensuring that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) remain secure.
CMMC Levels Explained
-
Level 1: Basic Safeguarding of FCI
- Focus: Foundational cybersecurity practices aimed at protecting FCI.
- Requirements: Organizations must implement 15 specific practices outlined in Federal Acquisition Regulation (FAR) clause 52.204-21. These include basic measures like limiting physical access and regularly updating antivirus software.
- Assessment: An annual self-assessment is required, with results submitted to the Supplier Performance Risk System (SPRS).
-
Level 2: Advanced Protection of CUI
- Focus: Implementation of robust cybersecurity practices to protect CUI.
- Requirements: Based on the 110 practices of NIST SP 800-171 Revision 2, this level demands comprehensive safeguards such as multifactor authentication, encryption, and incident response plans.
- Assessment: Organizations must undergo a triennial assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) or perform self-assessments, depending on the contract. Annual affirmations of compliance are also required.
-
Level 3: Expert Protection Against Advanced
Persistent Threats
- Focus: Enhanced protections to mitigate sophisticated cyber threats.
- Requirements: In addition to Level 2 practices, organizations must implement 24 additional practices outlined in NIST SP 800-172. These include advanced threat detection and incident reporting capabilities.
- Assessment: Triennial assessments are conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), with annual compliance affirmations.
Why the Three Levels of CMMC Matter
CMMC’s tiered approach ensures that cybersecurity measures are proportional to the sensitivity of the data being protected. For organizations working with the Department of Defense (DoD), understanding and meeting the requirements of their relevant level is critical for maintaining eligibility for contracts and safeguarding national security.
CloudFit Software: Supporting Every Step of Your Compliance Journey
Navigating the complexities of CMMC compliance can be challenging, but CloudFit Software offers a range of services to simplify the process:
- Customized Assessments:We help identify your organization’s current compliance standing and provide actionable recommendations to meet your target level.
- Implementation Assistance:CloudFit experts work with you to deploy required practices effectively, ensuring your cybersecurity framework aligns with CMMC standards.
- Ongoing Compliance Management:With CloudFit’s support, organizations can maintain compliance through continuous monitoring, regular updates, and proactive risk management.
"Microsoft’s security and compliance solutions, combined with CloudFit’s tailored services, equip DIBs with the tools and expertise needed to work toward CMMC compliance," says Jayson McFadden, Technical Solutions Architect at CloudFit Software. "Our approach helps bridge the gap between advanced technical tools and practical implementation, empowering organizations to strengthen their cybersecurity posture."
To learn more about how CloudFit Software can assist your organization in preparing for a CMMC assessment, contact us today for a consultation.
About CloudFit Software:
CloudFit Software, Inc was founded in March of 2018
and merged with Composable Systems, LLC in August of
2018 to form CloudFit Software, LLC. CloudFit is now
leading the market in “Managed Scenarios” for cloud
across Fortune 500, DoD and Regulated Industries.
While CloudFit primarily exists to implement, manage
and secure critical services and applications to the
cloud, it has a great mission with its charities:
KidFit — uses athletics as a conduit to provide
mentorship and opportunities for all kids regardless
of their ability to play and JobFit — lowers barriers
for high school and college students to achieve great
IT careers.
For more information on how CloudFit Software can assist your organization in achieving CMMC compliance, please contact us for a consultation.
For additional information: Contact CloudFit Software via email getfit@cloudfitsoftware.com or call 434-548-0015.
Author
Justin Hensley
Justin brings over 20 years of experience in cybersecurity, compliance, and risk management to CloudFit. As the Principal Program Manager for Information Security and Compliance, he leads efforts to align customer and internal programs with frameworks such as NIST, CMMC, and FedRAMP. Justin focuses on governance, policy development, and ensuring secure, compliant operations across CloudFit’s services. He also supports initiatives related to Security Operations Center (SOC) readiness and maintains CloudFit’s internal Risk Governance and Compliance resources to drive consistency across teams.