Depending on the nature of your service to the Department of Defense (DoD), your organization will need to achieve one of three increasingly stringent CMMC Compliance Levels. Which level you are required to achieve will be stated in your contract. The majority of contracts require level 1 or 2.
CMMC Compliance Levels are based on which type of information the contractor will be handling and how strongly it must be secured:
This is the base level of CMMC Compliance and consists of 17 basic cybersecurity practices, including but not limited to implementing Identity and Authentication and basic Access Controls. If you are contracted by the DoD and do not produce solely Commercial Off-the-Shelf products, you are required to achieve this level, at the very least. The vast majority of contracts fall under this level of protection.
No assessment by a third party is required to achieve Level 1 compliance, but you will be required to perform annual self assessments. This assessment must be affirmed by a senior company official, and will be liable under the False Claims Act.
(Previously known as CMMC Level 3 in CMMC version 1.02)
This level requires an organization to enhance controls implemented in Level 1 and increase their overall security to be eligible to handle CUI. Level 2 requires compliance with NIST SP 800-171, which consists of a total of 110 practices. This level significantly increases the time and costs needed to achieve compliance, but is necessary for any organization that handles both CUI and FCI.
Nearly all of organizations at CMMC Compliance Level 2 must be regularly audited by a CMMC Third Party Assessment Organization (C3PAO), which in turn is officially accredited by the CMMC Accreditation Body (CMMC-AB).
(This level combines the former CMMC Levels 4 and 5 of the previous CMMC version 1.02)
This level is designed to ensure an organization’s ability to effectively protect CUI from Advanced Persistent Threats (APTs). There are not as many new requirements as the jump from Level 1 to Level 2, but the new practices and controls required are more advanced and time consuming to implement and maintain. These include a selection of enhanced security practices from NIST SP 800-172 requirements, in addition to those required for Level 2.
As it is the highest level of CMMC Compliance, those organizations certified at Level 3 will be assessed directly by government officials.