The Department of Defense (DoD) Undersecretary for Acquisition and Sustainment has released a unified cybersecurity framework for DoD acquisitions, the Cybersecurity Maturity Model Certification (CMMC). This framework builds upon existing direction set in the National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171), “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” and the Defense Federal Acquisitions Regulation Supplement (DFARS) by adding additional focus on processes and policy.

The DoD initially released CMMC v1.0 in January 2020. The framework added a third-party verification system, eliminating the ability for organizations to self-certify compliance, and consisted of five levels of certification ranging from Level 1: Basic Cyber Hygiene to Level 5: Advanced. 

Using feedback from industry, the DoD has since released an updated version of CMMC (v2.0) that streamlines and simplifies some of the requirements of v1.0. The new model consists of only three levels.

Level 1, Foundational, remains similar to its counterpart in v1.0. It contains 17 practices required for companies that only handle Federal Contract Information (FCI) and do not handle Controlled Unclassified Information (CUI). This level requires companies to perform an annual self-assessment of their basic cyber hygiene.

Level 2, Advanced, is similar to Level 3 in v1.0. It outlines 110 practices aligned with NIST SP 800-171 required by defense contracts who handle and must safeguard CUI. To achieve Level 2 certification, organizations must. Undergo triennial third-party assessments by organizations called Certified Third-Party Assessment Organizations, or C3PAOs. C3PAOs are certified by the CMMC Accreditation Body to perform assessments on behalf of the government to ensure compliance throughout the defense industry. 

Level 3, Expert, is similar to Level 5 in v1.0. It includes the 110 practices in Level 2 and an additional set of practices based on NIST SP 800-172, which is currently in draft form. These requirements provide a greater depth of protection of critical national security information and reduce the risks of exploitation by Advanced Persistent Threats (APTs). At this level, organizations must undergo a triennial assessment of their cyber programs by the U.S. government. 

The level achieved by the contractor will determine contract eligibility. Most small companies that only handle Federal Contract Information (FCI) will only need Level 1 certification, but any company that handles Controlled Unclassified Information (CUI) will need at least Level 2. The DoD expects that organizations that currently meet DFARS requirements will be able to qualify for Level 2 with relative ease. However, based on government research, most organizations that self-certify overestimate their compliance and have work to do now to be ready for third-party verification.

DoD also recognizes that there is a cost associated with maintaining proper cybersecurity and as part of CMMC has said that it will allow contractors to include their cybersecurity expenses as an allowable cost in their contracts.

CMMC levels align with the following focus:

• Level 1: Basic safeguarding of Federal Contracting Information (FCI)
• Level 2: Protecting CUI
• Level 3: Protecting CUI and reducing risk of Advanced Persistent Threats (APT)