<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

The 3 Levels of CMMC Explored

For businesses, suppliers, and contractors working with the Department of Defense, CMMC 2.0 is a contractual requirement (DoD). These rules must be followed regardless of what services or supplies you supply to the government. What steps is your company taking to address this issue? Are you ready for it?

With the goal post constantly shifting, how can my organization be compliant? The Department of Defense (DoD) announced an update to the CMMC program back in November 2021, dubbed CMMC 2.0. The rule-making process for CMMC 2.0 has been underway now for a lengthy amount of time, and it was expected to take between 9 to 24 months. CMMC 2.0 is now a mandatory contractual obligation for suppliers, organizations, contractors, and sub-contractors providing products and services to the DoD. Every contractor in the defense industrial base must conduct a self-assessment once per year. However, the same is not true for third-party assessments. CMMC 2.0 understands that different types of sensitive information require different degrees of protection. As such, third-party assessment requirements will consequently be based on the type of information DIB companies are working with.

One of the biggest changes done from CMMC 1.0 has been the removal of two levels from the original. CMMC 2.0 will include three (3) levels, as opposed to five (5) in CMMC 1.02. Levels 2 and 4 have been removed from the model. The basic safeguarding controls of FAR 52.204-21 will be included in Level 1, dubbed "foundational." There were no changes in terms of security controls. Those required to be CMMC Level 1 will be able to self-assess their cybersecurity posture (annually) with leadership sign-off and enter their score into the Supplier Performance Risk System once CMMC 2.0 is in place (more on that below) (SPRS).

In this blog post, we'll explore each of the three levels.


Level 1: Foundational

Only companies that focus on the protection of FCI are eligible for Level 1 (Foundational). It's similar to the old CMMC Level 1 system. Level 1 will focus on the protection of FCI and will be based on the 17 rules listed in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information. These controls aim to safeguard covered contractor information systems by restricting access to only authorized users.

3rd party certification will not be required for companies seeking Level 1 criteria. Instead, the contractor must define the people, technology, facilities, and external suppliers who handle, store, or transmit FCI in their environment. Companies will be required to self-certify once a year that they meet the FAR clause 52.204.21 fundamental safeguarding criteria for FCI.


Level 2: Advanced


Companies that deal with CUI at Level 2 (Advanced) are eligible. It's similar to the old CMMC Level 3 system.

All practices and maturity procedures that were unique to CMMC will be deleted under CMMC 2.0 Level 2 (Advanced) criteria, which will reflect NIST SP 800-171. Instead, Level 2 follows the National Institute of Technology and Standards (NIST14 )'s levels and 110 security measures for CUI protection. As a result, the DoD's 20 requirements in the old CMMC Level 3 were deleted, bringing the new Level 2 (Advanced) into complete compliance with NIST SP 800-171.

Every three years, you'll require a third-party review if you're pursuing CMMC level 2. The Department of Defense has reversed its earlier claims that level 2 standards would be bifurcated. This means you'll need to hire accredited C3PAOs (CMMC Third Party Assessment Organizations) or professional CMMC Assessors to assess you.


Learn More About Our CMMC 2.0 Offerings


Level 3: Expert

How a Registered Provider Organization Can Help DoD Contractors Achieve CMMC Compliance Graphic

The goal of Level 3 (Expert) is to reduce the danger of Advanced Persistent Threats (APTs). It is intended for companies that collaborate with CUI on the Department of Defense's highest-priority programs. It's comparable to the CMMC Level 5 in the past. The Department of Defense is still determining the Level 3 (Expert) security criteria, however, it has stated that they will be based on NIST SP 800-171's 110 controls plus a subset of NIST SP 800-172 controls.

Level 3 (Expert) compliance requires companies to achieve the security criteria outlined in NIST SP 800-171, as well as a portion of the requirements outlined in NIST SP 800-172. The Department of Defense is still working out how firms seeking level 3 compliance will be evaluated. These businesses, on the other hand, will need a DIBCAC audit to be in compliance.

At this time, no C3PAO assessments of defense contractors are being conducted. The final assessment process for C3PAOs is slated to begin in the summer of 2022, according to the Department of Defense. Contracts will be eligible to undertake optional assessments with certified C3PAOs at that point.


CMMC 2.0 Maturity Model Certification

In addition to the 3 levels, the CMMC 2.0 is composed of 110+ practices, most of which are part of the NIST SP 800-171 requirements. 

The domains are further broken down into capabilities, with only certain capabilities required for each level.  Organizations that are looking to achieve Level 3 certification must comply with more than 110 practices. 

The following infographic gives a brief outline of how many practices are associated with each level. While navigating the CMMC is a complex process, it's advisable to turn to compliance experts like the team at 24By7Security to go through any of your questions. 


CMMC 2.0 Overview infographic 24By7Security


24By7Security is a Registered Provider Organization (RPO), certified by the Cyber AB (formerly known as CMMC Accreditation Body), fully qualified, and trained to provide CMMC readiness services and help contractors in the Defense Industrial Base on their path to certification against the CMMC standard.

RP(O) Combo Graphic Horizontal

Schedule A Complimentary Call

Sanjay Deo
Sanjay Deo

Sanjay Deo is the President and Founder of 24by7Security Inc. Sanjay holds a Master's degree in Computer Science from Texas A&M University, and is a Certified Information Systems Security Professional (CISSP), Healthcare Information Security and Privacy Practitioner (HCISPP), Certified Information Systems Auditor (CISA) and PCI Qualified Security Assessor (QSA). Sanjay is also a co-chair on the CISO council and Technology Sector Chief at FBI InfraGard South Florida Chapter. In 2022 Sanjay was honored with a Lifetime Achievement Award from the President of the United States. Subscribe to the 24by7Security blog to learn more from Sanjay.

Related posts

June, 4 2024
May, 28 2024
May, 21 2024

Comments are closed.

Cybersecurity Issues Can Impact Patient Care
Politics & Profit Drive Cybercrimes in 2022
Subscribe to our Blog!