Department of Defense CMMC Model
The DoD created the CMMC model as a cybersecurity standard for the DIB. CMMC assessments initially occurred across five levels of maturity, with level 1 requiring the most basic cybersecurity and level 5 requiring the most advanced.
With CMMC 2.0, the DoD is making changes to the CMMC standards and collapsing the model into three levels, down from the previous five. CMMC 2.0 now becomes the DoD’s methodology for holding its supply chain accountable to the implementation of the FAR 52.204-21 and DFARS 252.204-7012 clauses, which means that it will replace CMMC 1.0. The overarching goal of the model remains the same, however: protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). To simplify the assessment process, the CMMC model has been reduced from five tiers to three:
Contractors can begin by identifying which level their organization falls under:
- Level 1 (Foundational) – Nothing has really changed with this level in the newer model. If you handle FCI but not CUI, you fall into a Level 1. These organizations are expected to implement the Federal Acquisition Regulation’s 17 most basic cybersecurity controls. ALL Federal contractors are required to implement these 17 basic safeguards, which focus for instance on physical protection and access control. Although this is the lowest level, implementing these controls is not an overnight process, so contractors should remain diligent when doing so.
- Level 2 (Advanced) – Formerly Level 2/3. If your business is in the manufacturing sector, and/or provides parts and services for weapons, and it is very likely that your small business will fall under this category
- Level 3 (Expert) – Formerly Level 4/5. Large prime contractors and those of us that work on super critical national security programs that are significant targets of nation-state adversaries and any Advanced Persistent Threat (APT) will have to focus on Level 3. These organizations handle CUI, but they also likely handle secret and, potentially, top-secret information.