What Idaho DIB Companies Need to Know about CMMC 2.0

The upcoming Cybersecurity Maturity Model Certification (CMMC) from the Department of Defense (DoD) makes the adoption of NIST SP 800-171 mandatory for the Defense Industrial Base (DIB). This includes both prime contractors and subcontractors.

NIST SP 800-171 is a publication that lists specific security controls for Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. It puts forth a minimum standard of cybersecurity protections for businesses working with the Federal Government to ensure Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are secure.

CMMC is designed to give the DoD a way to enforce the protection of national security information and American ingenuity.

CMMC only applies to DIB organizations. DIB organizations enable research and development of military weapons systems, subsystems, and components or parts. DIB companies perform under contract to the Department of Defense.

Image from ControlCase

CMMC 2.0 is the newest version of the program and has 3 levels of maturity, with each level increasing in the robustness of cybersecurity controls, processes, and procedures.

CMMC Level 1

This is ‘foundational’ cyber protection and requires the implementation of 17 controls from NIST SP 800-171. In addition, an annual self-assessment is required. This level is mainly for a DIB company that does not process, store, or transmit CUI on its unclassified network, but does process, store or handle FCI.

CMMC Level 2

This is referred to as ‘Advanced’ and includes all 110 controls from NIST SP 800-171. Compliance is measured with a yearly self-assessment for level 2, or, for contracts with information critical to national security, a triennial third-party assessment by a Certified Third-Party Assessor Organization (C3PAO). For scoring, controls will be weighted at 1, 3, or 5 points depending on risk. Each control not met is points docked. The highest possible score is 110 and the lowest could be in the negatives.

CMMC Level 3

This level builds on the previous two levels by requiring full implementation of all 110 controls from NIST SP 800-171 plus controls from NIST SP 800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information). This ‘Expert’ level advances to a triennial assessment led by government officials.

Need help in Idaho with CMMC Compliance?

TotalCare IT can help your Idaho organization prepare for CMMC by walking you through an alignment to the NIST standards.

We will create a roadmap for you that clearly outlines where your organization is currently meeting NIST SP 800-171 controls and where you need improvement.

Then, as part of our ongoing compliance management service, we help you implement all the controls in your organization. We can also help you create POA&Ms if needed and walk your organization through self-assessments.

Implementing security controls does not happen overnight. If your DIB organization hasn’t started preparing for the rollout of CMMC in 2025, what are you waiting for? Give us a call today to get started! (208) 881-9713