The Cybersecurity Maturity Model Certification (CMMC) program is a US Department of Defense (DoD) initiative created to safeguard controlled unclassified information (CUI) and federal contract information (FCI) shared through non-government systems across the defense industrial base (DIB). CMMC builds on longstanding trust-based cybersecurity requirements specified in the Defense Federal Acquisition Supplement 252.204-7012 clause (DFARS 7012) by adding a verification component.

While the current self-attestation regime based on the NIST SP 800-171 Rev. 2 standard is “one size fits all,” CMMC defines three levels of compliance and certification requirements to “right-size” cybersecurity with a contractor’s actual risk profile based on the data they need to protect.

This article gives business stakeholders a concise overview of the three CMMC levels to help you understand your compliance requirements and the effort involved.

Key takeaways

• The CMMC maturity model offers three certification levels: Foundational (Level 1), Advanced (Level 2), and Expert (Level 3). Most DIB orgs that handle CUI will need to meet Level 2 requirements, including a third-party certification audit.
• Each of the three CMMC levels has an associated set of practices (called controls in NIST 800-171) organized around domains (called control families in NIST 800-171). There are 15 practices at Level 1, 110 at Level 2, and 134 at Level 3.
• The key difference between CMMC and the current DoD cybersecurity requirements is that CMMC mandates requires third-party audits to verify compliance.
• Except for COTS products and procurements below the micro-purchase threshold, all DoD contracts will eventually require CMMC compliance in alignment with the DoD’s program rollout schedule.

What are the 3 CMMC Levels?

CMMC requires DIB orgs that handle sensitive unclassified defense information to implement progressively more advanced cybersecurity controls depending on the risk associated with their data. CMMC compliance requirements “flow down” the supply chain along with the sensitive data they are meant to protect.

DoD contracts and RFPs will specify the CMMC level(s) required for prime contractors and their subcontractors. Compliance with a specific CMMC level will be a precondition of contract award.

The CMMC levels are “cumulative.” To achieve certification at a given level, a business must demonstrate that it complies with the requirements of the lower levels.

The 3 CMMC levels are:

• Level 1—Foundational. This level requires basic cybersecurity measures to protect FCI only. Annual certification self-assessments are also required, along with an attestation by a senior company representative.
• Level 2—Advanced. The great majority of DIB contractors that handle CUI as well as FCI will need to achieve CMMC Level 2 certification based on a rigorous third-party audit and senior executive attestation prior to bidding on contracts. Reassessments are every third year with annual executive affirmation of ongoing compliance. A handful of companies that receive only non-critical or less sensitive CUI that falls outside the NARA Registry Defense organizational index grouping will be eligible for Level 2 certification based on a self-assessment every three years and annual executive affirmation.
• Level 3—Expert. This highest CMMC maturity level is reserved for contractors working with highly sensitive CUI on the most critical DoD programs, which are likely to be targets of advanced persistent threats (APTs) and nation state actors. Besides passing a CMMC Level 2 audit, organizations subject to CMMC Level 3 will need to fulfill 24 additional requirements per NIST 800-172 and undergo a second assessment by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). A government-led reassessment is required every third year along with annual executive affirmation of ongoing compliance.

Table 1 summarizes the critical features and differences among the three CMMC levels.

Table 1: CMMC levels

What are CMMC practices?

Each of the three CMMC levels defines an associated set of practices, aka controls. To achieve certification at a specific level, an organization must demonstrate that it has both implemented and operationalized the associated practices for that level and the preceding levels.

Like ISO 27001 and other trusted frameworks, CMMC strongly emphasizes continuous improvement and governance to effectively manage the required practices over time, versus just standing them up and documenting them for a certification audit. Beyond just meeting a requirement “on paper,” DIB orgs seeking CMMC certification will need to prove to auditors and other stakeholders that they have operationalized the requirements within day-to-day business activities.

These are the practices/controls associated with each CMMC level:

• CMMC Level 1 focuses on protecting FCI but not CUI. It specifies 15 practices that correspond to the requirements defined in 48 CFR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.”
• CMMC Level 2 focuses on protecting CUI. It includes all 110 practices from NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
• CMMC Level 3 focuses on protecting highly sensitive CUI from sophisticated threats. It includes the 110 practices from NIST 800-171 plus 24 additional practices from NIST 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

What are CMMC domains?

Similar to the NIST 800-171 control families, CMMC organizes its practices into 14 interdependent domains. Table 2 lists the 14 CMMC domains and 110 associated practices at CMMC Level 2.

Table 2: CMMC domains

How is CMMC 2.0 Level 2 different from NIST 800-171?

From the standpoint of controls, CMMC Level 2 is built on NIST 800-171 Rev. 2, which has specified the cybersecurity requirements for DoD contractors handling CUI since December 31, 2017.

However, CMMC adds a third-party certification process based on three compliance tiers. While NIST 800-171 compliance relies on self-assessments, CMMC Level 2 requires third-party certification audits for the great majority of suppliers.

Contracts requiring CMMC Level 2 will also include the DFARS 7019 clause, which requires contractors to upload a NIST 800-171 compliance score into the DoD’s SPRS database as a prerequisite for CMMC certification. This ensures that all contract participants have documented an assessment of their cybersecurity practices and explicitly provided the DoD with that data.

Does my business need to comply with CMMC?

All prime contractors, subcontractors, and suppliers that want to bid on or participate in future DoD contracts that contain the CMMC DFARS clause (DFARS 7021) will need to attain CMMC certification at the specified level prior to contract award. Contractors must maintain their CMMC compliance status throughout the contract’s duration.

Exceptions may include:

• Contracts for commercial off the shelf (COTS) products only.
• Contracts below the micro-purchase threshold of $10,000.

Defense suppliers that are subject to a current DoD contract with a DFARS 7012 clause will need to pass a CMMC Level 2 audit when the contract is renewed if they are not already certified.

Cloud service providers (CSPs), Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), SaaS providers, IT consultants, and other External Service Providers (ESPs) that deliver a service relating to accessing, managing, and/or protecting CUI for a DoD contract may be subject to CMMC compliance. DIB orgs can optionally include an ESP in its system security plan, to be assessed for CMMC compliance alongside them versus requiring the ESP to have its own CMMC certification.

What’s next?

CBIZ Pivot Point Security offers a full complement of CMMC advisory and consulting services. Contact us today to connect with a CMMC expert about your company’s unique compliance scenario.