Back on July 17, 2021, the US Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) 2.0, marking a big step in how we classify cybersecurity levels.
Designed especially for users working with the Defense Industrial Base (DIB), the CMMC framework is like a toolkit to check and amp up how secure these uses are online. The main goal? Making sure everyone working with the DoD follows good online security rules, keeping safe the important stuff like controlled unclassified information (CUI) and federal contract information (FCI).
This guide is your go-to handbook on the Cybersecurity Maturity Model Certification. We’ll dive into the fresh CMMC certification levels, give you some tips on picking the right one, and lay out what comes next on the road to being all good with CMMC 2.0.
How Many CMMC Levels Are There?
Introducing the newest iteration, CMMC 2.0, which streamlines the previous five-tier structure to a more concise three-tier model. Unveiled on July 17, 2021, these three levels comprise Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). The evaluation criteria for CMMC assessments differ according to the sought certification level.
Find More: How are the CMMC consulting services helpful for the organization?
What are the CMMC levels?
The CMMC levels represent a comprehensive framework of cybersecurity practices, standards, and processes crafted by the Department of Defense (DoD). This initiative, a crucial part of the CMMC program, aims to fortify national security by harmonizing the approach Defense contractors and subcontractors take in handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC 2.0 introduces three distinct security levels: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Determining your organization’s CMMC maturity level, along with its corresponding compliance and assessment requirements. Also, it hinges on the sensitivity of the data you are entrusted with safeguarding.
Each certification level under CMMC entails specific processes, practices, and assessment procedures tailored for DoD contractors. This intricate structure ensures a meticulous alignment with the security demands associated with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC 2.0, Level 1: Foundational
At the initial level, organizations are tasked with implementing fundamental cybersecurity practices. Surprisingly, they can execute these practices informally without the need for extensive documentation and can secure certification through an annual self-assessment.
Interestingly, the assessors (C3PAOs) do not evaluate the maturity of processes at level 1. The practices emphasized at this stage primarily revolve around safeguarding Federal Contract Information (FCI). Notably, level 1 encompasses only those practices that align with the essential safeguarding requirements outlined in 48 CFR 52.204-21.
Now, let’s consider who falls under the purview of CMMC level 1. Department of Defense (DoD) contractors and subcontractors responsible for handling Federal Contract Information (FCI) – defined as “Information not intended for public release, provided by or generated for the Government under a contract to develop or deliver a product or service to the Government” – are the entities requiring CMMC level 1 certification.
Also Read: What do you mean by Phishing Stimulation?
CMMC 2.0, Level 2: Advanced
Level 2 demands that organizations thoroughly document their processes to steer their efforts toward achieving CMMC Level 2 maturity. This documentation should not only serve as a guide but also enable users to easily replicate these processes.
To reach this maturity level, organizations must faithfully execute their documented processes.
Considered advanced cyber hygiene practices, Level 2 practices (often known as intermediate cyber hygiene) mark a progression between Level 1 and Level 3.
CMMC 2.0 Level 2 corresponds to CMMC 1.02 Level 3, as per NIST SP 800-171. It encompasses all 14 domains and 110 security controls of CMMC 1.02 derived from NIST 800-171. While omitting the 20 Level 3 practices and processes unique to CMMC 1.02.
Assessment requirements for Level 2 compliance vary depending on whether the handled CUI data is critical or non-critical to national security. Organizations dealing with prioritized acquisitions of data critical to national security must undergo a higher-level third-party assessment (C3PAOs) every three years. In contrast, non-prioritized acquisitions with data not critical to national security must conduct an annual self-assessment.
Who needs CMMC Level 2? DoD contractors and subcontractors managing the same type of controlled unclassified information (CUI) are obligated to meet Level 2 compliance. If the prime only shares select information, a lower CMMC level may apply to the subcontractor.
This level of detail ensures clarity and precision, with a smooth flow between ideas.
CMMC 2.0, Level 3: Expert
The Level 3 CMMC model plays a crucial role in bolstering a system’s defense against advanced persistent threats (APTs). To achieve this, organizations are mandated to craft, sustain, and allocate resources for a comprehensive plan governing the implementation of cybersecurity practices.
This plan encompasses various focal points, including objectives, missions, projects, resource allocation, training initiatives, and engagement with organizational stakeholders.
The cybersecurity practices at this level not only embody good cyber hygiene but also concentrate on safeguarding Controlled Unclassified Information (CUI). Notably, they encompass the security requirements outlined in NIST SP 800-171, along with the incorporation of 20 additional practices for CMMC Level 2.
It’s noteworthy that the DFARS clause 252.204-7012 remains applicable, introducing supplementary requirements beyond NIST SP 800-171. Particularly concerning the reporting of security incidents.
CMMC 2.0 Level 3 is specifically applicable to companies entrusted with handling CUI for Department of Defense (DoD) programs of the utmost priority. While comparable to CMMC 1.02 Level 5, specific security requirements are still in development by the DoD.
Importantly, it has been indicated that the criteria for Level 3 will be grounded in the 110 controls of NIST SP 800-171, supplemented by a subset of controls from NIST SP 800-172.