lock in the middle of code representing cybersecurity and compliance

CMMC Levels Explained

Companies in the Defense Industrial Base (DIB) sector must comply with the requirements of the Cybersecurity Maturity Model Certification (CMMC) in order to bid on and win contracts with the Department of Defense (DoD).

CMMC has gone through several revisions and is currently on version 2.0. This article explains what the updates are, and what the different CMMC levels mean.

What is CMMC 2.0?

CMMC 2.0 is the second version of the original CMMC framework, released in 2019. It features updated security requirements for critical defense supply chains, and has been adopted by the US Department of Defense. It took the five levels from 1.0 and consolidated them to three levels in order to make it more understandable and easier for organizations to implement.

Another difference with the updated CMMC 2.0 framework is how it’s further tailored to the needs of the DoD. Each level in CMMC 2.0 corresponds to different security measures that organizations need to take in order to protect their data and supply chains.

Companies who get certified would benefit from having a CMMC consultant assess their compliance. Our CMMC Registered Practitioner consultants will look at the company’s security posture and see which level they are at versus where they need to be.

The 3 CMMC Levels

The three CMMC levels in version 2.0 are foundational, advanced, and expert. Organizations can choose which level they need to implement, based on their requirements. The higher levels offer more protection, but demand more resources to implement.

CMMC Level 1: Foundational Cyber Hygiene

The most basic level of security, Level 1, requires implementation of basic cybersecurity hygiene practices such as password management and keeping systems up-to-date with patches. This level is intended for small businesses with minimal risk to their data.

There are 17 controls Level 1 is based off of which is found in FAR 52.204-21. This is a good starting point for organizations who are just beginning to implement cybersecurity measures, or who have limited resources.

Level 1 certification is required for companies that handle Federal Contract Information (FCI) but aren’t considered part of the critical infrastructure, which includes most businesses and government agencies.

CMMC Level 2: Advanced Cyber Hygiene

Level 2 builds on the cybersecurity hygiene practices of Level 1 and requires additional measures to be put in place. Level 2 is similar to NIST SP 800-171 and includes 110 practices. Some of the practices focus on access control, incident response, risk management, physical security, and system and information integrity..

Level 2 certification is required for companies that handle CUI and are considered part of the critical infrastructure. This includes companies in the energy, water, communications, and transportation sectors.

CMMC Level 3: Expert Cyber Hygiene

Level 3 is the highest level of CMMC certification and requires the most stringent security measures. Level 3 is based on NIST SP 800-171 and adds additional practices from NIST SP 800-172. The extra practices focus on more sophisticated detection and response capabilities, information protection, and system hardening requirements.

Level 3 certification is required for the same types of companies who need Level 2 certification, but who also handle CUI in the most sensitive or higher security assurance of DoD contracts. Organizations required to comply with CMMC Level 3 certification are assessed by the Federal Government’s Defense Contract Management Agency. Assessment process details for Level 3 are still being developed at this time.

How CMMC Certification Can Benefit Companies Who Don’t Need to Be Compliant

Even if your company does not need to be CMMC certified, there are still many benefits to implementing measures from the available CMMC levels. Cybersecurity is becoming more and more important, and CMMC provides a comprehensive framework for protecting data. Implementing CMMC measures can help your company protect its data and avoid costly breaches.

If your company isn’t required to be CMMC certified, you can still choose to implement some or all of the measures. This can help you improve your cybersecurity posture and show potential customers that you take data security seriously.

CMMC certification can also help you win more business. Many companies are now requiring their suppliers to become CMMC certified. By becoming certified, you can show these companies that you’re serious about data security and that you have the necessary measures in place to protect their data. This can give you a competitive advantage when bidding on contracts.

CMMC certification can be a long and difficult process, but it’s worth it for the benefits it provides.

Get CMMC Certified with Brightline IT

If you’re interested in CMMC certification, Brightline IT can help. We have certified CMMC Registered Practitioner consultants and can help you through every step of the process. We’ll assess your current cybersecurity posture, help you implement necessary controls and practices, and guide you through the certification process.

For more information about CMMC certification, contact us today.