In January 2020, the US Department of Defense (DoD) launched the first version of the Cybersecurity Maturity Model Certification (CMMC 1.0) framework. This framework was created to ensure that appropriate cybersecurity measures were in place to protect the following types of information:
However, many Defense Industrial Base (DIB) companies complained that CMMC 1.0 was too complex and expensive. In response, the DoD released CMMC 2.0 in November 2021. CMMC 2.0 is a streamlined version of the original, doing away with the transitional Levels 2 and 4 and dropping the number of levels from five to three:
The CMMC 2.0 security maturity levels are based on the type of data that DIB companies handle. In essence, the more sensitive the data involved, the higher the CMMC level required. Each level is aligned with established standards, such as Federal Acquisition Regulation (FAR) and National Institute of Standards and Technology (NIST) requirements, eliminating practices that were unique to CMMC 1.0.
In this blog, we will discuss the different CMMC 2.0 levels to aid you in identifying which level is appropriate for your company.
As with CMMC 1.0 Level 1, this level focuses on the protection of FCI. Unlike CUI, FCI is not considered critical to national security. Therefore, if your company plans to bid for DoD contracts that handle only FCI, then you should aim for Level 1.
To achieve Level 1 certification, you must undergo an annual self-assessment and comply with the 17 controls found in FAR 52.204-21, which details the basic cybersecurity measures necessary to protect FCI.
Similar to CMMC 1.0 Level 3, this level aims to safeguard CUI, which requires a higher level of security than FCI.
CMMC 2.0 further classifies the sensitivity of CUI involved by dividing this level into two categories: prioritized acquisitions and non-prioritized acquisitions. CUI related to weapons systems, for example, falls under prioritized acquisition, while CUI related to military uniforms is under non-prioritized acquisitions.
CUI that falls under the first category is identified as “critical national security information.” So if your company will handle such information, you must undergo triennial assessments from a certified CMMC third-party assessor organization (C3PAO). However, annual self-assessments will suffice for handling CUI that is under the second category.
On top of such assessments, CMMC 2.0 Level 2 certification requires compliance with all 110 security practices of NIST SP 800-171 — 20 practices fewer than those required under CMMC 1.0 Level 3 certification.
This level is intended for DIB companies that work with CUI on the DoD’s highest priority programs. Similar to CMMC 1.0 Level 5, CMMC 2.0 Level 3 focuses on reducing the risk from advanced persistent threats (APTs). An APT is launched by perpetrators with substantial means, with the intent of stealing highly sensitive data, such as the layouts of nuclear power plants or codes for breaking into DIB companies’ IT systems.
To get certified for this level, you must comply with CMMC 2.0 Level 2’s 110 controls plus a subset of NIST SP 800-172 controls. Moreover, you will need to undergo assessments conducted by the government rather than C3PAOs.
If you are planning to apply for CMMC 2.0, then you'll greatly benefit from working with a managed IT services provider like Charles IT. When you partner with us, your company will undergo our three-step process:
By going through these steps, you can achieve CMMC 2.0 compliance in no time. Get in touch with us today to get started!
Editor's Note: This post was originally published in January 2022 and has been updated for accuracy and comprehensiveness.