CMMC Tips Part 2: Levels 1 and 2 and COTS

December 21, 2020 | 7 min read


Amy Williams, PhD, CISSP, CMMC-RP - Director of Proactive Services

Wondering whether CMMC maturity level 1 or 2 is enough for your company? This article covers who must comply in general and then dials in on levels 1 and 2, plus provides a bit of detail about the COTS exception as well.

Who Must Comply?

Estimates on the number of companies that will need to comply with CMMC vary. The most frequently cited numbers are between 300,000 and 350,000 contractors in the defense industrial base but since many prime contractors have seven or more layers of subcontractors, the number of companies that will need to be certified may be much higher. Subcontractors do not necessarily need to comply at the same level as their primes though, since compliance is tied to the sensitivity of data handled for the work performed. More detail about how this will work is provided below.

Currently, DoD RFPs with CMMC requirements are slated to begin appearing in contracts in early 2021. So, for example, there will be language in the RFP to indicate whether contractors must comply with Level 1, 3 or some higher level of CMMC to be awarded the contract.

Companies submitting proposals to the DoD must be third party certified that they are compliant with the required level at time of award, not at the time of proposal submission. However, it’s now clear that the accreditation board expects contractors to have required maturity practices in place for enough time to be just that – maturity practices. If all the requirements are put into place a week before the assessment, it is likely that some aspect will be incomplete, inaccurate or simply not an organizational practice yet. Accordingly, the sooner a contractor gets started on putting security practices in place, the better their chances are of successfully passing an assessment.

Level 1

The five CMMC levels are additive – Level 2 has Level 1 baked into it, etc., so a great starting point for any company is to review the CMMC standard published by the DoD and consider how to start applying the practices required for Level 1 (L1) certification.

L1 compliance includes just 17 practices and is designed to help companies that handle the least sensitive type of Federal Contract Information (FCI) get certified. Think of FCI as a superset for all contract information that is not intended for public release. Some FCI also needs additional safeguarding (e.g., CUI), thus requiring additional cyber security steps.

L1 is also the only level of CMMC compliance that does not require an organization to document the required security practices. An important point, however: documenting practices is always a good thing but if your documentation differs from the actual practices in place, you are likely to fail your assessment, so take extra care to make sure documentation is accurate. This is in no way meant to discourage documentation. Good documentation will help you stay organized and on top of your security initiatives. Documentation also provides a foundation that prepares your organization for moving to the next higher levels of maturity, and that can in turn open doors for your company to accept more lucrative contracts. So, document your practices, but double check their accuracy before you invite the assessors in!

For your convenience, the L1 practices from the CMMC guidance are reproduced in Table 1. All CMMC practices fall under one of 17 different cyber security domains. You will notice that L1 is heavily focuses on practices related to the Access Controls, Physical Protections and System and Information Integrity domains.

Table 1: Required Practices for CMMC Level 1 Certification

Access Control: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Access Control: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Access Control: Verify and control/limit connections to and use of external information systems.
Access Control: Control information posted or processed on publicly access information systems.
Identification and Authentication: Identify information system users, processes acting on behalf of users, or devices.
Identification and Authentication: Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems.
Media Protection: Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
Physical Protection: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
Physical Protection: Escort visitors and monitor visitor activity.
Physical Protection: Maintain audit logs of physical access.
Physical Protection: Control and manage physical access devices.
System and Communications: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the inform systems.
System and Communications: Implement subnetworks for publicly accessible system compnents that are physically or logically separated from internal networks.
System and Information Integrity: Identify, report, and correct information and information system flaws in a timely manner.
System and Information Integrity: Provide protection from malicious code at appropriate locations within organizational information systems.
System and Information Integrity: Update malicious code protection mechanisms when new releases are available.
System and Information Integrity: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Level 2

We have worked with a number of clients that currently need to put Level 1 practices in place but aspire to achieve Level 3 compliance so that they may bid on more contracts. Level 2 is designed to be a stepping-stone for just such contractors. The DoD is not currently planning to put L2 requirements in contracts. However, going from 17 practices to 130 practices is a huge jump and, again since the levels of maturity are additive, the DoD thought it would be helpful to include guidance on the logical progress of investments between L1 and L3.

Level 2 requires 55 additional controls within 15 domains beyond L1, and L2 requires that a company have at least one written policy for each of 15 different security domains.

The COTS Exception

The one exception to the compliance requirements is for suppliers who sell commercially available off the shelf items defined very specifically as:

  1. Commercial products
  2. That are sold in similar quantities in the commercial marketplace and
  3. That are offered to the federal government without modification in the same form as how they are offered in the marketplace.

Accordingly, if you sell time management software, non-customized uniforms, standard fasteners or sandwiches to the DoD, you most likely do not have to be CMMC compliant. For all other DoD contractors, some level of CMMC compliance is required.

A Practical Example: Flow of L1 Services Down from L3 Prime

A prime contractor that manufactures field equipment may flow down a contract to manufacture an equipment part to Subcontractor A who may then contract with Subcontractor B for a large order of sheet metal. If the sheet metal requested is a standard, non-customized product that is made for other commercial entities as well, Subcontractor B will not likely need to comply with CMMC. Commercial Off the Shelf (COTS) products with no customization are an exception to the CMMC rules, as described above.

If, however, as part of the order process Subcontractor B had to receive some specifications on how the metal would be used in order to fulfill the contract, that would likely qualify as FCI. Any contract information not intended for public release would qualify as FCI and thus require CMMC L1 compliance at minimum. If, on the other hand, the order is for customized sheet metal that will be manufactured using a proprietary blend of metals or to unique design specifications expressly requested for this contract, the design specifications would be more sensitive information that Subcontractor B would be required to safeguard more carefully. In the latter case, the special designs would be designated as Controlled Unclassified Information (CUI). Companies handling CUI must seek and attain CMMC L3 certification in order to perform work for the DoD.

In summary, if your company makes goods or provides services for the DoD that are exactly the same as the goods and services you provide commercially to the public, you may qualify for the COTS CMMC exception. If you perform work for the DoD and are only handling FCI that doesn’t require additional safeguarding, you will likely need to be certified at Level 1. If, however, you are handling CUI, L3 certification will be required, at minimum.

The next article will go into more detail about Level 3 – what it is, what’s required, and tips to fast track compliance.

CMMC Center: Your Journey to Compliance

Join in the conversation on the CMMC Center slack group. The center provides a managed, moderated and secure place within the DIB to discuss the challenges and success of their CMMC journey. We view this a space for open and free discussion about any CMMC related topic and to learn from other's experiences with CMMC.

To request access, from your corporate email address contact [email protected].

Learn more on our CMMC hub or read article 1 of this series.