Compliance Levels in CMMC 2.0

Due to the changes made between CMMC 1.02 and the current CMMC 2.0, CMMC Certification Levels will now instead be referred to as CMMC Compliance Levels

Overview

Depending on the nature of your service to the Department of Defense (DoD), your organization will need to achieve one of three increasingly stringent CMMC Compliance Levels. Which level you are required to achieve will be stated in your contract. The majority of contracts require level 1 or 2.

CMMC Compliance Levels are based on which type of information the contractor will be handling and how strongly it must be secured:

  • Level 1: Federal Contract Information (FCI)
  • Level 2: FCI & Controlled Unclassified Information (CUI)
  • Level 3: FCI & CUI + Additional Protections and Controls

Level 1: Foundational

This is the base level of CMMC Compliance and consists of 17 basic cybersecurity practices, including but not limited to implementing Identity and Authentication and basic Access Controls. If you are contracted by the DoD and do not produce solely Commercial Off-the-Shelf products, you are required to achieve this level, at the very least. The vast majority of contracts fall under this level of protection.

No assessment by a third party is required to achieve Level 1 compliance, but you will be required to perform annual self assessments. This assessment must be affirmed by a senior company official, and will be liable under the False Claims Act.

Level 2: Advanced

(Previously known as CMMC Level 3 in CMMC version 1.02)

This level requires an organization to enhance controls implemented in Level 1 and increase their overall security to be eligible to handle CUI. Level 2 requires compliance with NIST SP 800-171, which consists of a total of 110 practices. This level significantly increases the time and costs needed to achieve compliance, but is necessary for any organization that handles both CUI and FCI.

Nearly all of organizations at CMMC Compliance Level 2 must be regularly audited by a CMMC Third Party Assessment Organization (C3PAO), which in turn is officially accredited by the CMMC Accreditation Body (CMMC-AB).

Level 3: Expert

(This level combines the former CMMC Levels 4 and 5 of the previous CMMC version 1.02)

This level is designed to ensure an organization’s ability to effectively protect CUI from Advanced Persistent Threats (APTs). There are not as many new requirements as the jump from Level 1 to Level 2, but the new practices and controls required are more advanced and time consuming to implement and maintain. These include a selection of enhanced security practices from NIST SP 800-172 requirements, in addition to those required for Level 2.

As it is the highest level of CMMC Compliance, those organizations certified at Level 3 will be assessed directly by government officials.

Want to learn more about the CMMC
certification process and timeline?

Click Here

Deciding whether to have an in-house IT team or a managed IT services provider (MSP) manage your business IT infrastructure can be difficult. This eBook from Kloud9IT will help you determine which option is best for your company.Click here to download our FREE eBook about choosing between in-house IT and an MSP!
+
ClickCease

Schedule
a 12 Minute Call