This post contains information regarding the CMMC 2.0 model.
The DoD is in the process of writing rules to clarify the changes made in CMMC 2.0. This could take 9-24 months to complete. Meanwhile, DoD recommends that contractors work toward compliance with NIST SP 800-171 as the required controls can take months to implement.
The Cybersecurity Maturity Model Certification (CMMC) program was initially released in late January 2020. This regulatory compliance program incorporates three levels of fundamental cybersecurity requirements into the acquisition and contract process to safeguard controlled unclassified information (CUI). The CMMC levels are assigned to Department of Defense (DoD) contractors based on the amount of CUI present in their systems necessary to facilitate the contract.
Former CMMC 1.0 Levels
The original CMMC model had five maturity levels. Each level had control requirements, or practices, and processes. Contractors could certify at Levels 1, 3, and 5. Confusingly, Levels 2 and 4 served as “stepping stones” to signify a company was working toward Levels 3 and 5 certification, respectively.
To make the model easier to understand and comply with, the CMMC program was reviewed and version 2.0 was released in November 2021, nearly two years later. Among the major changes, the DoD reduced the five levels to three and removed all processes and additional CMMC-specific practices.
Current CMMC 2.0 Levels
Many factors influence the classification of CMMC levels, including the types of sensitive information, rules, complexity, and information threats applicable to a company. Each level of CMMC is meant to provide suitable protection for the type of CUI a contract may contain.
Going forward, a contract’s initial Request for Information (RFIs) will specify the CMMC Level required from a company to be considered.1
Level 1: Foundational
Applicability
All DoD contractors with access to federal contract information (FCI) exclusively must comply with Level 1. Any company with access to CUI is required to comply with Level 2.
Cybersecurity Practices
Companies with Level 1 requirements must implement the 17 basic safeguarding practices in Level 1. These practices are foundational and range from restricting system access to properly disposing of devices that contained sensitive information.
Level 1 has requirements in the following domains:
- Access Control (AC)
- Identification and Authentication (IA)
- Media Protection (MP)
- Physical Protection (PE)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Certification Method
Level 1 companies will be able to self-attest to their compliance in order to receive certification. In this process, contractors will need to find their compliance score using a self-assessment, or a readiness assessment conducted by a cybersecurity service provider, and submit the score to the SPRS system. Contractors must repeat self-attestation annually.
Level 2: Advanced
Applicability
Level 2 applies to contractors that store, process, or transmit any amount of CUI. DoD estimates that most of the over 300,000 contractors will fall into this category.
Cybersecurity Practices
CMMC Level 2 requirements mirror the 110 widely-used NIST SP 800-171 guidelines. Level 2 includes all 17 practices found in Level 1. More advanced than Level 1, these practices include multi-factor authentication and ongoing security control monitoring.
Level 2 has requirements in all of the 14 CMMC domains:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Certification Method
Most companies will need a third-party assessment by a C3PAO at this level, although the DoD is permitting some to self-attest. The guidance for this process will be published soon.
Level 3: Expert
Applicability
Level 3 also applies to companies that deal with CUI. However, this level is for companies with contracts which are at an increased risk of advanced persistent threats (APTs) than those of Level 2. Soon, the DoD will released their Level 3 Assessment Guide which will define what they consider an increased risk.
Cybersecurity Practices
A supplement to NIST SP 800-171, the enhanced security requirements found in NIST SP 800-172 were created to respond to advanced persistent threats. Because of this, a contract that requires Level 3 certification may call out some or all of the enhanced requirements from NIST SP 800-172.1 Many have predicted that this scenario will occur rarely.
Level 3’s enhanced requirements are under 10 of the CMMC domains:
- Access Control (AC)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Personnel Security (PS)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Certification Method
Any organization that needs to comply at Level 3 will have to go through a C3PAO assessment. Even after C3PAO assessment, though, some Level 3 contractors may have to undergo a third assessment performed by government officials within the DoD.
Find Out Which Level Applies to You
Use our CMMC Self-Assessment Tool to find out if your organization has CUI and is subject to Level 2 requirements.
Sources
1 https://www.acq.osd.mil/cmmc/model.html
https://www.acq.osd.mil/cmmc/docs/AG_Level1_V2.0_FinalDraft_20211210_508.pdf
https://www.acq.osd.mil/cmmc/docs/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf