The 5 CMMC Compliance Levels

CMMC Level 1 Requirements (Foundational):

CMMC Level 1, the base level of compliance, is designed to be straightforward and manageable. It consists of practices that align with basic safeguarding requirements in the Federal Acquisition Regulation (FAR) clause 52.204-21. This foundational level comprises 17 basic cyber security practices, such as implementing Identity and Authentication and basic Access Controls.

Level 1, focused on protecting Federal Contract Information (FCI), is a requirement for anyone seeking a DoD contract but not producing solely Commercial Off the Shelf products. The majority of DOD contracts will necessitate this level of compliance. Importantly, the requirements for Level 1 have remained consistent with CMMC 1.02, providing a sense of familiarity and confidence in understanding.

Under CMMC 2.0 Compliance Level 1, there is no need for a third-party certification assessment, as this level does not involve sensitive national security information. Instead, the contractor is responsible for conducting an annual self-assessment. These self-assessments, which must be accompanied by an affirmation from a senior company official, hold the company accountable under the False Claims Act.

The DoD plans to mandate the registration of self-assessments and affirmations in the Supplier Performance Risk System (SPRS). This system will serve as a repository for these documents, which can be audited by the DoD at any time.

CMMC Level 2 Requirements (Advanced):

Welcome to the exciting world of CMMC Level 2! This stage corresponds to what was previously known as Level 3 under the earlier CMMC 1.02 version. It’s a crucial step in enhancing your organization’s cybersecurity practices and safeguarding Controlled Unclassified Information (CUI).

At Level 2, the emphasis shifts to building upon the foundational security practices set in Level 1. This level involves a comprehensive approach to bolster your organization’s security posture. To achieve compliance, organizations are required to meet the standards detailed in NIST SP 800-171, which lists 110 essential practices. While there’s ongoing discussion about the additional 61 Non-Federal Organization (NFO) controls from Appendix E of NIST SP 800-171, it’s important to note that the Department of Defense (DoD) has confirmed these controls will not be part of the assessment process.

In terms of control requirements, CMMC 2.0 Level 2 nicely aligns with the existing Defense Federal Acquisition Regulation Supplement (DFARS) rules, specifically 252.204-7012 and -7019, which have been in effect since December 31, 2017, and November 30, 2020, respectively. The key differences you’ll encounter pertain to Plans of Action and Milestones (PoA&M) and the assessment criteria.

For organizations managing both Federal Contract Information (FCI) and CUI, meeting the CMMC Level 2 requirements or higher is essential. This makes Level 2 one of the most commonly required maturity levels across all CMMC compliance levels, and many of our valued clients are currently working to align with these standards.

When it comes to assessments for CMMC Level 2, here’s the breakdown:

  1. A limited number of contracts with Level 2 (“Advanced”) requirements that are not tied to national security will allow organizations to conduct self-assessments, similar to the process in CMMC Level 1. However, as clarified by the DoD in February 2022, this will apply to only a select group of companies.
  2. For the majority of contracts under CMMC Level 2, contractors will be required to secure an assessment from a CMMC Third Party Assessment Organization (TPAO) accredited by Cyber AB, the official accreditation body of the CMMC Ecosystem. Cyber AB is the sole authorized non-governmental partner of the DoD for CMMC compliance oversight.

CMMC Level 2 marks a significant step forward from Level 1, bringing along new timelines and cost considerations. If you’re curious about the CMMC implementation process and estimated timelines for Level 2, be sure to check out the comprehensive resources available to guide you through this exciting journey!

CMMC Level 3 Requirements (Expert):

CMMC Level 3 combines the previously established CMMC Levels 4 and 5 from the earlier CMMC 1.02 iteration.

For organizations required to achieve Level 3 certification, the primary focus shifts to enhancing the effectiveness of protecting Controlled Unclassified Information (CUI) from Advanced Persistent Threats (APTs). Although there are not as many new practices to implement compared to Level 2, the practices at this level are more complex and time-consuming to implement and maintain.

Achieving CMMC Level 3 requires organizations to review and measure the effectiveness of their practices, as well as to implement a subset of enhanced security measures from NIST SP 800-172 in addition to those required for Level 2.

T3CHNOLOGY estimates that fewer than 600 companies will be required to achieve CMMC Level 3 compliance. Organizations at this level will be assessed by government officials, and the assessment requirements are currently being developed.

Cybersecurity

GET ALERT

Free Cybersecurity Newsletter and Emergency Alerts

Name(Required)
Email