Which CMMC 2.0 Level Is Right for Your Company?

Which CMMC 2.0 Level Is Right for Your Company?

In January 2020, the US Department of Defense (DoD) launched the first version of the Cybersecurity Maturity Model Certification (CMMC 1.0) framework. This framework was created to ensure that appropriate cybersecurity measures were in place to protect the following types of information: 

  • Federal contract information (FCI) – “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments” (from 48 CFR 52.204-21
  • Controlled unclassified information (CUI) – “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls” (from 32 CFR 2002.4)

However, many Defense Industrial Base (DIB) companies complained that CMMC 1.0 was too complex and expensive. In response, the DoD released CMMC 2.0 in November 2021. CMMC 2.0 is a streamlined version of the original, doing away with the transitional Levels 2 and 4 and dropping the number of levels from five to three:

  • Level 1: Foundational
  • Level 2: Advanced
  • Level 3: Expert

The CMMC 2.0 security maturity levels are based on the type of data that DIB companies handle. In essence, the more sensitive the data involved, the higher the CMMC level required. Each level is aligned with established standards, such as Federal Acquisition Regulation (FAR) and National Institute of Standards and Technology (NIST) requirements, eliminating practices that were unique to CMMC 1.0.

In this blog, we will discuss the different CMMC 2.0 levels to aid you in identifying which level is appropriate for your company. 

CMMC 2.0 Level 1: Foundational

As with CMMC 1.0 Level 1, this level focuses on the protection of FCI. Unlike CUI, FCI is not considered critical to national security. Therefore, if your company plans to bid for DoD contracts that handle only FCI, then you should aim for Level 1. 

To achieve Level 1 certification, you must undergo an annual self-assessment and comply with the 17 controls found in FAR 52.204-21, which details the basic cybersecurity measures necessary to protect FCI.

CMMC 2.0 Level 2: Advanced 

Similar to CMMC 1.0 Level 3, this level aims to safeguard CUI, which requires a higher level of security than FCI. 

CMMC 2.0 further classifies the sensitivity of CUI involved by dividing this level into two categories: prioritized acquisitions and non-prioritized acquisitions. CUI related to weapons systems, for example, falls under prioritized acquisition, while CUI related to military uniforms is under non-prioritized acquisitions. 

CUI that falls under the first category is identified as “critical national security information.” So if your company will handle such information, you must undergo triennial assessments from a certified CMMC third-party assessor organization (C3PAO). However, annual self-assessments will suffice for handling CUI that is under the second category. 

On top of such assessments, CMMC 2.0 Level 2 certification requires compliance with all 110 security practices of NIST SP 800-171 — 20 practices fewer than those required under CMMC 1.0 Level 3 certification. 

CMMC 2.0 Level 3: Expert 

This level is intended for DIB companies that work with CUI on the DoD’s highest priority programs. Similar to CMMC 1.0 Level 5, CMMC 2.0 Level 3 focuses on reducing the risk from advanced persistent threats (APTs). An APT is launched by perpetrators with substantial means, with the intent of stealing highly sensitive data, such as the layouts of nuclear power plants or codes for breaking into DIB companies’ IT systems. 

To get certified for this level, you must comply with CMMC 2.0 Level 2’s 110 controls plus a subset of NIST SP 800-172 controls. Moreover, you will need to undergo assessments conducted by the government rather than C3PAOs. 

How Can Your Company Obtain CMMC 2.0 Compliance?

If you are planning to apply for CMMC 2.0, then you'll greatly benefit from working with a managed IT services provider like Charles IT. When you partner with us, your company will undergo our three-step process:

    1. Gap Assessment – Identify weak spots in your company’s IT infrastructure and receive a remediation plan that addresses these.
    2. CMMC Services Enlistment – Utilize our cybersecurity services such as endpoint encryption, security awareness training, external vulnerability scanning, and dark web monitoring
    3. CMMC Audit Assessment - Receive guidance throughout the CMMC assessment process, from recommended auditors to evidence needed to prove your security posture and the effectiveness of controls. 

By going through these steps, you can achieve CMMC 2.0 compliance in no time. Get in touch with us today to get started!

Editor's Note: This post was originally published in January 2022 and has been updated for accuracy and comprehensiveness. 

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”