The Charles IT Blog

The cybersecurity maturity model certification (CMMC) is a journey towards proactive security, whereby organizations ultimately shift their focus to preventing security events from occurring in the first place.

Prior to the Cybersecurity Maturity Model Certification, defense contractors were responsible for implementing, maintaining, and assessing their own cybersecurity practices in accordance with the NIST Special Publication 800-171. CMMC aims to improve upon those measures and unify them in a single framework that applies to all defense contractors and subcontractors. It also introduces a number of ...

The Cybersecurity Maturity Model Certification (CMMC) replaces the current DFARS 252.204-7012 clause that defense contractors currently have to when entering into a contract with the Department of Defense. Based on the NIST SP 800-171 framework, albeit with the addition of various other processes and practices, CMMC compliance spans five levels, with the third one being the minimum requirement ...

Most organizations wanting to contract or subcontract with the Department of Defense should aim for CMMC level 3. This is the minimum required level for handling controlled unclassified information (CUI), and compliance will be fully enforced from October 2025.

Level 5 is the highest of all the CMMC levels, and the most time-consuming and complicated to achieve. While this level only adds 15 new CMMC controls, they are far more complex and burdensome to implement and manage than most of those from previous levels. Furthermore, there is the cumulative challenge of implementing all the controls from previous levels for a grand total of 171. In other ...

While the controls introduced in CMMC levels 1 and 2 present the bare minimum of adequate security, the third level is where things culminate. This is also the level that most organizations should be aiming for, not least because it presents the minimum baseline security standards required for an organization to legally handle controlled unclassified information (CUI).

With 72 controls spanning all but two of the 17 domains, CMMC level 2 presents a significant step up from the first level. However, it is also widely considered to be a transitional phase in developing sufficiently robust cybersecurity standards, since most businesses will ultimately be aiming for the third level.

Businesses embarking on their CMMC journey will most likely be aiming for CMMC level three, which is the requirement for handling controlled unclassified information (CUI). However, the demands of level 3 are no easy feat to achieve, hence the importance of the two transitional steps that precede it. Of all the CMMC levels, the first is by far the least demanding, since it only consists of 17 ...

The first level of the CMMC framework is intended to serve as an introduction to further CMMC levels. While every organization will ultimately need to achieve a higher level to sign contracts with the DoD, CMMC level one is an important starting point. It is also by far the easiest level to implement, since it consists of only 17 actionable controls. By contrast, level 5, which is the highest ...

While CMMC levels one and two encompass the transitional work required to get your cyber hygiene up to scratch, the third level is the one that most organizations will be aiming for. This level is currently the most common certification to aim for, as it is a requirement for businesses that handle controlled unclassified information (CUI) on behalf of the Department of Defense. You generally ...