Understanding The 3 Levels of CMMC 2.0 

In the realm of government contracts, cybersecurity is paramount, especially when handling sensitive information. The Cybersecurity Maturity Model Certification (CMMC) provides a framework for ensuring that organizations in the Defense Industrial Base meet specific cybersecurity standards. With the introduction of CMMC 2.0, the certification process has evolved to better align with ever-changing threats and industry needs. Let’s dive into the three defined certification levels of CMMC 2.0 and how they impact contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The Shift to the Tiered Model

CMMC 2.0 Levels

CMMC 1.0 divided contractor requirements across five unique levels. CMMC 2.0  consolidates the original model into a more efficient 3 tiered system for DoD contractors. According to the Department of Defense, there are a handful of advantages to the CMMC 2.0 model:

  • Focused on Critical Requirements: CMMC 2.0 consolidates the model from five to three compliance levels, streamlining the certification process. This simplification allows organizations to focus on the most critical cybersecurity requirements, ensuring a more targeted approach to risk mitigation.
  • By leveraging National Institute of Standards and Technology (NIST) cybersecurity standards, CMMC 2.0 ensures alignment with established best practices. This alignment not only enhances cybersecurity effectiveness but also promotes compatibility with existing industry standards.
  • Reduced Assessment Costs: CMMC 2.0 introduces a cost-saving measure by enabling companies at Level 1 to demonstrate compliance through self-assessments. This reduction in assessment costs makes the certification process more accessible across the DIB, fostering greater participation in cybersecurity initiatives.
  • Higher Accountability: With an increased focus on oversight, CMMC 2.0 enhances the accountability of third-party assessors, ensuring adherence to professional and ethical standards. This heightened oversight promotes trust and confidence in the certification process, ultimately strengthening the integrity of cybersecurity assessments.

A Deeper Look at the CMMC 2.0 Level

Foundational (Level 1):

At Level 1, contractors primarily dealing with FCI are required to adhere to basic cybersecurity practices outlined in the Federal Acquisition Regulation (FAR) clause 52.204-21. These practices focus on establishing fundamental cyber hygiene to safeguard FCI. 

  • Who requires CMMC Level 1? Department of Defense (DoD) contractors and subcontractors managing Federal Contract Information (FCI) — defined according to FAR 52.204-21 as “Information not intended for public release, provided by or generated for the Government under a contract to develop or deliver a product or service to the Government” — necessitate CMMC Level 1 certification.

Advanced (Level 2):

Level 2 is designed for companies that deal with more sensitive information categorized as Controlled Unclassified Information (CUI). To make sure this information stays safe, organizations in Level 2 need to comply with a set of rules called security controls. There are 110 of these rules split across 14 families that cover a range of security and compliance initiatives designed to safeguard CUI. 

To meet Level 2, companies MUST follow the rules from NIST SP 800-171 Rev 2. They can show they’re following the rules either by checking themselves (self-assessment) or getting certified by an outside organization (third-party certification). Which method they use depends on what their contract with the government says, but a SPRS score of 110 is required.

Compliance verification involves self-assessment, annual affirmation, and every three years, they might also get checked by an outside organization called a CMMC Third-Party Assessment Organization (C3PAO) to make sure they’re doing things right.

  • Who requires CMMC Level 2? Department of Defense (DoD) contractors and subcontractors dealing with Controlled Unclassified Information (CUI) must adhere to Level 2 compliance. In cases where the prime contractor only shares specific information, a lower CMMC level may apply to the subcontractor.

Expert (Level 3):

Level 3 targets contractors managing CUI in the DoD’s most critical programs, necessitating advanced cybersecurity measures to combat Advanced Persistent Threats (APTs). It incorporates sophisticated practices from both NIST SP 800-171 and NIST SP 800-172.

Organizations face more rigorous requirements, including selected practices from NIST 800-172, to protect against APTs.

Certification assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) on behalf of the DoD, focusing on enhanced protection measures and advanced cybersecurity practices.


Which CMMC Level Are You?

As per a statement from the Office of the Under Secretary of Acquisition and Sustainment (OUS A&S), “the Department of Defense (DoD) will indicate the necessary CMMC level in the solicitation and in any Requests for Information (RFIs) if utilized.”

By the year 2025, all contractors engaged in business with the DoD must adhere to CMMC requirements. This obligation extends to both prime contractors and subcontractors, no matter the size. Each DoD contract will specify the CMMC maturity level required for each contractor, meaning that contractors working on the same contract may have different CMMC obligations. 

At IsI, we stand ready to assist organizations in understanding and navigating the intricate DoD compliance landscape. By partnering with IsI for CMMC managed services, organizations can streamline their path to compliance, while focusing on your business and winning more contracts. Contact us to start your journey to achieving DoD compliance.