The Department of Defense (DOD) has introduced new guidelines to help contractors navigate the complexities of Cybersecurity Maturity Model Certification (CMMC) levels related to solicitations and contracts.
Previously, contractors understood that if a contract only required handling Federal Contract Information (FCI), a self-assessment at CMMC Level 1 was sufficient.
However, when it came to Controlled Unclassified Information (CUI), contractors had to either conduct a self-assessment or secure official certification at CMMC Level 2.
For the most sensitive projects, achieving CMMC Level 3 certification was necessary.
The recently revised guidance clarifies and expands on these requirements, giving contractors more specific criteria to determine the compliance level they need.
Understanding CMMC Levels
Starting with CMMC Level 1, contractors should take note that if a contract involves exclusively FCI—without any CUI requirements—they only need to perform a self-assessment at this level.
This means that those contractors who have not engaged with CUI in their DOD contracts can continue their work with merely the Level 1 self-assessment.
Moving to CMMC Level 2, this level uniquely distinguishes between self-assessments and certification.
The DOD’s updated directives specify which contracts will require a deeper level of compliance.
Contracts that handle CUI classified under the National Archives’ “Defense Organizational Index Grouping” will require a formal certification at CMMC Level 2.
This grouping includes five categories: (1) Controlled Technical Information; (2) DoD Critical Infrastructure Security Information; (3) Naval Nuclear Propulsion Information; (4) Privileged Safety Information; and (5) Unclassified Controlled Nuclear Information – Defense.
If contractors encounter any of these types of CUI, they should be prepared to pursue a Level 2 certification in future contracts.
Self-Assessments and Certifications
On the other hand, contracts involving non-Defense CUI only necessitate a Level 2 self-assessment.
Thus, for contractors who handle CUI outside the five specified categories, a self-assessment will suffice.
Contractors who typically do not deal with Defense-related CUI might find that a CMMC Level 2 self-assessment meets their needs.
Yet, for those eager to invest in meeting Level 2 security standards, certification could open doors to more opportunities requiring this formal recognition.
When it comes to CMMC Level 3, DOD representatives have been instructed to be discerning in applying this requirement.
Consistent with earlier guidance, it’s anticipated that only a limited number of contracts will necessitate a CMMC Level 3 certification.
Specific circumstances warranting this level include: (1) contracts involving CUI tied to cutting-edge technologies; (2) contracts that consolidate large volumes of CUI within a single IT framework; and (3) contracts where a breach of an information system could lead to significant vulnerabilities across DOD networks.
Contractors involved in the research and development of sensitive technologies or those managing large quantities of CUI should consider pursuing the CMMC Level 3 certification.
Conclusion and Next Steps
In conclusion, contractors must carefully choose the appropriate CMMC level that reflects the type of DOD information they handle and their business goals.
It’s vital for them to act swiftly in determining and establishing their desired CMMC level to capitalize on potential contracting opportunities.
Staying ahead in compliance for these certifications will ensure they are well-positioned for success in their engagements with the DOD.
Source: Natlawreview