The benefits of obtaining Cybersecurity Maturity Model Certification (CMMC) certification are virtually limitless.  

Developed by the United States Department of Defense (DoD) to address emerging cybersecurity threats targeting the Defense Industrial Base (DIB), CMMC has proven to be a game-changer in enforcing regulatory compliance for defense contractors.  

Meeting the minimum CMMC requirements is a significant step towards safeguarding the DIB ecosystem.  

Not only is obtaining a relevant CMMC certification a mandatory eligibility criterion for winning defense tenders. But compliant businesses can easily have their existing contracts renewed, in addition to avoiding costly lawsuits.  

Besides, CMMC-certified companies enjoy higher trust ratings from their clients and partners. Organizations can also utilize the opportunity to better understand their cybersecurity posture.  

Since CMMC compliance is so significant, you’re probably wondering what it takes to obtain relevant certifications.  

Now, CMMC certification is a multi-tiered process that begins from the basics and progresses to the advanced levels. The first step typically entails understanding what constitutes CUI and how this category of information impacts the various CMMC levels.   

What Is CUI?

Controlled Unclassified Information (CUI) refers to federally designated sensitive, but non-classified information. Although not necessarily secret, CUI is highly sensitive and must be handled judiciously to prevent it from slipping into potentially malicious hands.  

Controlled Unclassified Information (CUI) typically encompasses defense contracts. Recipients of CUI-bearing documents must implement specific precautionary measures to ensure the safe processing, storage, and dissemination of this information.  

However, since there are thousands of DIB entities, the Department of Defense cannot vet each organization individually to verify compliance with proper CUI handling regulations. The DoD developed the CMMC framework to help streamline those procedures.  

Obtaining CMMC certification services is a crucial step toward achieving CMMC compliance.  

A reputable CMMC certification agency will conduct an extensive gap analysis to identify your organization’s assets that handle controlled unclassified information. If the audits uncover significant cybersecurity weaknesses, the organization will recommend a raft of remediation measures.  

Your business must meet the minimum requirements under the respective CMMC levels to obtain certification.  

It’s also worth noting that controlled unclassified information isn’t unique to defense contracts. While the term has become somewhat synonymous with the Department of Defense’s CMMC program, many other federal agencies mandate strict compliance with CUI security frameworks. 

CUI Examples

The success of CMMC assessment and certification depends on a proper understanding of what constitutes controlled unclassified information. Noteworthy examples of CUI include; 

1. Personally Identifiable Information (PII)

As the name implies, personally identifiable information enables the government to distinguish an individual’s identity.  

It includes social security numbers (SSNs), bank transactions, and billing records. 

2. Critical Infrastructure Information

Every federal department maintains several critical infrastructures. These are essential assets that are vital to the agency’s operations.  

Examples of critical infrastructures include road networks, water supplies, power grids, healthcare facilities, and communication technologies.  

A defense contract may bear information on critical infrastructure, such as a secret military training facility. Such would constitute a CUI. 

3. Law Enforcement Sensitive (LES)

Any information that could jeopardize law enforcement activities if recklessly disseminated constitutes law enforcement sensitive.  

It’s another common category of classified uncontrolled information. 

4. Proprietary Business Information

CUI may also encompass secret corporate information like financial data and marketing secrets.  

Such information requires extra safeguards to prevent unauthorized access, which could cause severe financial and reputational damage. 

Is CUI Similar To FCI?

Federal Contract Information (FCI) is another major information category that often appears in federal contracts. But while both CUI and FCI are handled by defense contractors, they require distinct protection levels.  

The principal difference between CUI and FCI is that federal contract information is typically not meant for public dissemination. Therefore, it poses fewer security risks than CUI, which often ends up in the public domain.  

Examples of federal contract information include: 

• The defense contract itself, including the individual clauses and appended signatures 
• Documentation highlighting the requirements for fulfilling defense contracts 
• Information on prime contractors and subcontractors 
• Maps or charts of critical military infrastructures  
• Diagrams illustrating military command structures 
• Performance appraisal reports 
• Financial information, including price lists and invoices 
• Correspondences between the contractor and the DoD, including phone call records and emails 

Understanding CMMC Levels With Respect To CUI

CMMC 2.0 has three maturity levels, down from five in CMMC 1.0. They include; 

• CMMC Level 1 (Foundational Level) 
• CMMC Level 2 (Advanced Level) 
• CMMC Level 3 (Expert Level) 

CMMC Level 1

CMMC Level One requires businesses to implement basic cybersecurity protocols. It applies to defense industrial base companies that handle federal contract information.  

Level 1 aligns with 15 cybersecurity protocols, which are based on the Federal Acquisition Regulation (FAR) clause 52.204-21.  

FAR’s 15 controls share a significant overlap with 17 requirements under the National Institute of Standards and Technology (NIST)’s Special Publication (SP) 800-171 R2. The guidelines spell out basic procedures for safeguarding FCI by federal contractors.   

CMMC Level 1 requires annual self-auditing and affirmation. DIBs must report their compliance status on the Supplier Performance Risk System (SPRS), with CMMC assessments renewed annually.  

As the foundational level of the CMMC framework, Level 1 requires total compliance. That’s to say, an organization seeking certification (OSC) must meet all 15 cybersecurity requirements to obtain a “pass.”  

You cannot invoke Plans of Action & Milestones (POA&Ms) in CMMC Level 1.  

Also, while CMMC Level 1 allows for self-assessment, certification doesn’t come easily. The DoD carefully reviews the compliance reports submitted to the SPRS to establish that an OSC has truly met all cybersecurity protocols.  

Besides, new defense contractors typically start with Level 1. Implementing the requirements can be crucial in making a strong first impression. 

CMMC Level 2

The first noticeable distinction between CMMC Level 1 and CMMC Level 2 is that the latter targets controlled unclassified information.  

CMMC Level 2 aligns with 110 cybersecurity controls in NIST SP 800-171. It’s the most comprehensive CMMC maturity level, and where most DIB companies fall.  

Level 2 requirements are further organized into 17 domains. Each domain covers specific cybersecurity protocols, from access control all the way to risk mitigation.  

CMMC Level 2’s other defining feature is the incorporation of third-party assessor organizations (C3PAOs). C3PAOs are agencies authorized by the CMMC Accreditation Body (CMMC AB or Cyber AB) to undertake cybersecurity audits on the DoD’s behalf.  

To become a C3PAO, an individual must demonstrate technical CMMC knowledge. The person must also be reasonably conversant with other relevant cybersecurity frameworks, such as FedRAMP.  

Therefore, due diligence is critical while choosing a C3PAO.  

Scour the Cyber AB marketplace and pick an organization that’s duly accredited rather than one pending approval.  

After auditing your business for CMMC compliance, a C3PAO will issue a report on whether you have “Met” or “Not Met” the applicable controls.  

Besides independent audits, there are also provisions for Level 2 self-assessments. These are evaluations undertaken internally by an organization seeking assessment to scope their information systems, usually designed to lay the ground for a proper C3PAO assessment.  

If your business fails the C3PAO-led assessments, you have up to 180 days to address the weaknesses. This grace period allows you to remediate any security gaps documented in your POAs & Ms.  

Level 2 assessments must be undertaken triennially. In the meantime, DIBs must implement active threat monitoring strategies to safeguard the DIB supply chain from unforeseen attacks.  

One way to ensure proactive threat detection is by conducting routine internal cybersecurity audits. Findings from these assessments can help identify and address vulnerabilities to your CUI assets before the threats escalate.  

Besides, undertaking regular cybersecurity evaluations is an ingenious way to manage the cost of CMMC Level 2 assessments and certifications. It not only shortens the time C3PAOs require to conduct mandatory triennial evaluations, but also the overall assessment of costs.  

CMMC Level 3

Level 3 is the most advanced CMMC maturity level. It applies to defense contractors handling highly sensitive, controlled, unclassified information.  

CMMC Level 3 emphasizes an even more proactive approach to risk monitoring, primarily targeting advanced persistent threats (APTs). Organizations must continuously monitor APTs in their systems and respond decisively to these sophisticated cybersecurity threats before they proliferate throughout the DIB ecosystem.  

To obtain CMMC Level 3 certification, an organization must comply with all 110 cybersecurity controls outlined in NIST SP 800-171 and 24 additional protocols specified in NIST SP 800-172.  

Like CMMC Level 2, Level 3 mandates third-party-led assessments. There’s no room for self-attestation.  

Compliance audits must be spearheaded by an official from the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC).  

Level 3 assessments are typically categorized into three types, each focusing on specific types of sensitive information. These categories include CUI Assets, Contractor Risk Managed Assets (CRMAs), and Security Protection Assets (SPAs).  

It can take several weeks to thoroughly audit a specific asset, which explains why Level 3 assessments are the most resource-intensive of the three CMMC maturity levels.  

As Level 3 targets the most sophisticated cybersecurity threats, organizations must also maintain detailed documents highlighting their security controls and procedures. Compliance with Level 3 requirements is the most unambiguous indication of CMMC readiness. That’s even though you can still win lucrative defense contracts as a Level 1 or 2 business. 

Accelerating CMMC Certification by Demystifying CUI and CMMC Levels For

CMMC certification is a sophisticated process that calls for a cautious approach. To ace the process, you’ll need to start from the basics by unpacking controlled unclassified information and the CMMC levels.  

Even better, you can enlist the services of a reputable cybersecurity compliance agency to help accelerate the CMMC certification process.  

Choose an organization that Cyber AB accredits. Besides, establish that the agency has a track record of helping similar businesses obtain CMMC certification.  

Familiarity with your software stack, reasonable turnaround time, and competitive fees are other key considerations when looking for a cybersecurity compliance agency.