Updated July 27, 2023

CMMC is a formal document proving a company’s compliance with NIST SP 800-171. NIST SP 800-171 is a NIST Special Publication that sets down guidelines for protecting the confidentiality of controlled unclassified data (CUI).

The purpose of CMMC is to verify that the information systems used by DOD contractors to process, transmit or store sensitive data meet a list of mandatory information security requirements. Its goal is to ensure appropriate protection of CUI and federal contract information (FCI) that is stored and processed by any DoD partner or vendor.

The CMMC framework ranks the reliability and maturity of an organization’s cybersecurity infrastructure, with a focus on the protection of sensitive data over three levels. The three levels build on each other’s technical requirements. Organizations must comply with lower-level requirements before adding processes to comply with a higher level of certification. Each level is made up of a group of processes and practices based on the type, sensitivity and risks to the information that needs to be protected.

While CMMC 1.0 had five levels of certification, CMMC 2.0 consists of only three levels.

The DoD released CMMC version 1.0 on January 31, 2020 and stated that by September 2020 at least some organizations bidding for defense contracts would have to become certified to some level.

The first iteration of the CMMC was built up of four vital parts — domains, capabilities, practices and processes. These elements made up the five cybersecurity maturity levels, with Level 1 being the least mature and Level 5 being the most mature. The framework listed a total of 171 practices across 17 domains.

CMMC Level 1: Basic Cyber Hygiene

Level 1 of CMMC 1.0 referred to the basic cyber hygiene of an organization needed to protect FCI. The requirements for this level (17 practices) were similar to the ones specified in 48 CFR 52.204-21 for “the basic safeguarding of contractor information systems that process, store or transmit Federal contract information.”

CMMC Level 2: Intermediate Cyber Hygiene

Level 2 consisted of a subset of requirements specified in NIST SP 800-171 and other standards. Becoming certified at this level meant that the organization had established and documented the necessary policies and practices to easily mimic them and develop mature capabilities.

CMMC Level 3: Good Cyber Hygiene

Level 3 was geared toward the protection of CUI and included all the security requirements listed in NIST SP 800-171, along with 20 additional practices. An organization had to establish and maintain a plan to demonstrate the set of activities needed to comply with CMMC to gain this level of certification.

CMMC Level 4: Proactive Cyber Hygiene

A Level 4 certification could be given to an organization only after demonstrating the capability to review practices for effectiveness and take corrective action. This level focused on protecting CUI from advanced persistent threats (APTs).

CMMC Level 5: Advanced Cyber Hygiene

At this level, organizations are expected to standardize and optimize processes across the organization with an increased focus on protecting CUI from APTs. To achieve this level of certification, they had to manage a total of 171 practices.

Not long after its release CMMC 1.0 received criticism from small and midsize businesses (SMBs) over the complexity of the framework and the costs associated with compliance and third-party certification. SMB owners became increasingly concerned that the costs associated with becoming certified would eventually force them out of the DIB.

After holding congressional hearings on the public comments received on version 1.0, the DOD released CMMC version 2.0. CMMC 2.0, is meant to streamline the program, making it easier (and less expensive) for contractors to execute. The implementation of self-assessments for each level of certification is also part of the plan to save burdensome expenses. CMMC 2.0 is expected to go into effect in May 2023 and become part of DOD contracts by July 2023.

The most noticeable difference between CMMC 1.0 and CMMC 2.0 is that there are now three evaluation levels instead of five.

Level 1 is the minimum requirement for organizations to bid on defense contracts. The new Level 1 applies to organizations that access, process or store FCI only and do not deal with CUI. It includes 17 practices that must be implemented to secure FCI. Documentation of a formal cybersecurity program is not required. Level 1 contractors will be required to self-assess and have an executive sign off on their compliance.

Level 2 is the minimum level required to protect CUI or covered defense information (CDI), Level 2 includes all 110 cybersecurity controls found in NIST SP 800-171 and also requires a fully documented cybersecurity program and necessitates an independent assessment. As CMMC 2.0 rolls out, until assessment capacity builds, some Level 2 contractors may be allowed to self-assess their compliance.

Even though the DOD is still developing the specific security requirements of Level 3, it has indicated that it will include all 110 NIST SP 800-171 controls plus a subset of the advanced threat controls in NIST SP 800-172.

In each level, the number of controls has also decreased. With CMMC 2.0, the DOD has eliminated all maturity processes, which measure the degree to which an organization has integrated the security practices into the operations of their organization. 20 security requirements were also dropped for this version of CMMC 2.0. The new level only needs organizations to implement the 110 security controls mentioned in NIST SP 800-171 to ensure they securely store and share CUI.

Further, CMMC 2.0 focuses on practices across 14 domains instead of the 17 mentioned in the older version.

These domains include:

• Access Control
• Awareness and Training
• Incident Response
• Personnel Security
• Risk Management
• System and Communications Protection
• Configuration Management
• Maintenance
• Physical Protection
• Security Assessment
• System and Information Integrity
• Audit and Accountability
• Identification and Authentication
• Media Protection

The following are notable highlights for enterprises enhancing their cybersecurity in compliance with CMMC 2.0:

Fewer Levels: Instead of five levels of certification, CMMC 2.0 will have only three, which will be more closely aligned with existing cybersecurity standards. Level 2, for example, will comply with NIST SP 800-171, the guideline that governs how contractors handle regulated unclassified data.

Self-Assessments: Self-assessments are allowed for Level 1 and Level 2 certifications. This will save many, if not all, contractors the time and money of conducting a third-party evaluation. However, it will also increase the risk of for contractors who wrongfully certify their compliance.

Flexible Timing: Contractors can be certified even if they do not satisfy all the standards provided, given they have a clear strategy for when and how they will accomplish the standards. It is important to note that since certain standards must be satisfied before certification, this flexibility will be hindered.

Over 300,000 members of the DIB — defense contractors, manufacturers and SMBs — must comply with CMMC. So, depending on the data your organization manages or is looking to manage, you must implement the security requirements of the certification level needed to either continue your current contract with the DoD or enter a new one. Once you implement these security requirements and complete the necessary assessment, you will have achieved compliance with the CMMC framework.

The first step to comply with CMMC is first complying with the Defense Federal Acquisition Regulations Supplement (DFARS) . The DFARS clauses in defense contracts are the compliance requirements that can be met by implementing the cybersecurity controls mentioned in NIST SP 800-171. If you are a defense contractor looking to become CMMC compliant, you must first implement the 110 security controls stated in NIST 800-171. It is recommended to begin this process as soon as possible because this process takes time, in some cases more than a year.

There will be many revisions made by the government on the specifics of the CMMC before the final version is released. To increase your security and data protection and ensure that these procedures are up to date, it is still important to implement cybersecurity practices following CMMC 2.0 guidelines.

For more information on CMMC, please visit NextLabs’ YouTube on How to Comply to CMMC at Different Levels and Safeguard Your Company’s Classified Information.