Every day, the U.S Department of Defense (DoD) faces millions of cyber threats while its contractors are battling to protect sensitive DoD information. DoD contractors are responsible for implementing and monitoring the information technology systems that store that information, which is vital to avoid putting the national security at risk. So, what is the standard for DoD cybersecurity processes? Well, it was recently released in 2020, and is called the Cybersecurity Maturity Model Certification (CMMC).CMMC was the DoD’s response to the rising number of cybersecurity threats that have compromised sensitive defense information. Today, all DoD contractors are required to be in compliance with CMMC. In this blog, we’re going to go over how defense contractors can not only achieve CMMC compliance, but maintain it as well.
Blog courtesy of Kyber Security, a managed security service provider in Fairfield, Connecticut. Read more Kyber Security blogs here.
Why Contractors Need to be CMMC Compliant
If contractors wish to continue working with the DoD, they MUST be CMMC compliant. While contractors and other agencies under the DoD may find compliance and security standards confusing, from the government’s perspective, maintaining high standards and cybersecurity best practices is a matter of national security necessary to combat online threats. Organizations that are regularly hit with cyberattacks or don’t have the infrastructure in place to prevent and mitigate attacks will risk losing their contracts with the DoD.The 5 Levels of CMMC
The CMMC consists of five certification levels contractors must complete to best implement cybersecurity practices. Certification is required for every company involved in DoD work, including subcontractors, and is good for 3 years.- Level 1: Processes. Basic best cyber hygiene practices, sensitive data management.
- Level 2: Protect Controlled Unclassified Information (CUI).
- Level 3: Practices to safeguard CUI, including the NIST 800-171 (This is the most common necessary achievement level)
- Level 4: Practices using advanced persistent threats (APT) techniques and procedures.
- Level 5: In place sophisticated capabilities to detect and respond to APTs.




