CMMC 2.0 Levels

The main purpose of CMMC 2.0 (Cybersecurity Maturity Model Certification 2.0) is to enhance the protection of sensitive defense information that is held by defense contractors and their supply chains. This cybersecurity framework aims to ensure that adequate security measures are in place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from evolving cybersecurity threats.

Key objectives of CMMC 2.0 include:

Strengthening Cybersecurity: By establishing a tiered set of cybersecurity standards and best practices that contractors must meet, CMMC 2.0 aims to reduce vulnerabilities and enhance the defense industrial base’s overall cybersecurity posture.

Simplifying Compliance: Compared to its predecessor, CMMC 2.0 streamlines the compliance process by reducing the number of levels and clearly defining certification requirements. This simplification helps contractors understand and achieve necessary cybersecurity standards more efficiently.

Ensuring Accountability: Through a mix of self-assessments, third-party certifications, and government-led audits, CMMC 2.0 holds contractors accountable for their cybersecurity practices, ensuring they are consistently implemented and maintained.

Protecting National Security: By securing the information systems that store, process, and transmit FCI and CUI, CMMC 2.0 helps prevent unauthorized access and data breaches that could compromise national security.

Compliance Level

Distinction

Activity

Level 3: Expert
Enhance and Evaluate

Additional advanced cybersecurity measures beyond NIST SP 800-171 are implemented, targeting protection against Advanced Persistent Threats (APTs). Assessments are conducted directly by the government.

Level 2: Advanced
Implement and Assess

Advanced cybersecurity practices based on NIST SP 800-171 are established to protect Controlled Unclassified Information (CUI). Regular third-party assessments are required every three years, supplemented by annual self-assessments.

Level 1: Foundational
Protect and Affirm

Basic cybersecurity practices are implemented to secure Federal Contract Information (FCI). Annual self-assessments are conducted and affirmed by company leadership.