Every organization within the Department of Defense (DoD) supply chain—including prime contractors and subcontractors—will be required to achieve at least one of the levels of CMMC compliance. According to the DoD, the CMMC compliance regulations will impact over 300,000 organizations.
Does My Organization Need CMMC Compliance?
If your organization is one of the following, you will need to achieve CMMC compliance in order to hold and be awarded contracts by the DoD:
- DoD prime contractors
- DoD subcontractors
- Any supplier within the DoD supply chain
Levels of Compliance
Depending on the amount and type of sensitive information your organization transmits, you’ll have to achieve one of 3 levels of CMMC compliance.
The DoD contract specifies which level of compliance an individual contractor must meet. For example, prime contractors may have to achieve Level 3 compliance while subcontractors may only be required to achieve Level 1.
Using the CMMC standards, organizations will be issued a score indicating the organization’s level of compliance. Each level requires you to comply with the previous level’s standards as well. The three levels are:
- Level 1 Foundational: Basic Cyber Hygiene. Level 1 focuses on basic cyber hygiene requirements. There are 17 practices that need to be implemented from FAR 52.204.21.
- Level 2 Advanced: DIB companies who send, receive and store controlled unclassified information fall into this category. There are 110 controls that must be implemented from NIST SP 800-171.
- Level 3 Expert: This level is for DIB companies who send, receive and store information from the Defense Industry’s high-risk programs. While details are still being worked out, it is expected that this level will include controls from NIST SP 800-172.
The CMMC Accreditation Body (CMMC-AB) is working to ensure that third-party assessments are available for contractors, subcontractors, and suppliers at each of the CMMC levels. In the meantime, organizations should consider working with a CMMC compliance consultant to prepare for their official audits because RPOs have gone through formal training, signed a code of ethics, and are more qualified and experienced than consultants that have not.
If you are interested in learning more about CMMC and the process for becoming compliant, please read our CMMC Compliance Guide. If you have any questions, don’t hesitate to give us a call or schedule a free consultation. Our team will be happy to help your organization navigate the complexities of compliance.