The Three Levels of CMMC 2.0

Level 1: Basic Cyber Hygiene (Foundational)

This is the most basic level of certification and consists of several practices that correspond directly to essential safety conditions outlined in the Federal Acquisition Regulation (FAR).

Level One consists of 17 basic cybersecurity practices such as implementing Access Control as well as Identity and Authentication.

Other practices include:

  • Asset Management (AM)
  • Audit and Accountability (AA)
  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PP)
  • Recovery (RE)
  • Risk Management (RM)
  • Security Assessment (SAS)
  • Situational Awareness (SA)
  • System and Communications Protections (SCP)
  • System and Information Integrity (SII)

The primary aim is to protect federal contract information, and it is mandatory for anyone looking to obtain a DoD contract.

Level 2: Intermediate Cyber Hygiene (Advanced)

Level 2 requires recorded policies for each of the 17 practices covered by the certification and documentation for completing each practice's policies.

It is a more extensive set of security practices--55 in addition to the 17 in Level 1--that are a subset of the NIST SP 800-171 requirements, which protect controlled unclassified information in the IT of government contractors and subtractors. (NIST stands for National Institute of Standards and Technology)

The goal is to create a basic sense of cybersecurity for any organization that has CUI, which requires a higher level of security than an organization with only FCI.

Level 3: Good Cyber Hygiene (Expert)

The final level mandates organizations establish and maintain a plan to implement the requirements of CMMC.

Level 3 includes all the practices included in Levels 1 and 2, the requirements stated in NISA SP 800-171 as well as NISA SP 800-172--which supplements NISA SP 800-171--and an additional 58 practices.

The primary objective is to enhance the security practices established in the previous two levels and expand an organization's overall security.

CMMC 2.0 represents three fundamental changes that refine the original program requirements:

A Streamlined Model: CMMC 2.0 focuses on the most critical requirements, condensing the model to 3 compliance levels instead of five. Additionally, it aligns with widely accepted standards, adhering to the National Institute of Standards and Technology's cybersecurity standards.

Reliability Assessments: Companies at Level 1 and a subset of Level 2 can demonstrate compliance through self-assessments, reducing assessment costs for third-party organizations. There is also increased accountability with increased oversight of the professional and ethical standards of third-party assessors.

Flexible Implementation: Under limited circumstances, companies can make Plans of Action and Milestones (POA&Ms) to achieve certification, fostering a spirit of collaboration among team members. CMMC 2.0 also allows waivers to CMMC requirements under certain limited circumstances, adding flexibility and speed to the certification process.