The first edition of the Cybersecurity Maturity Model Certification (CMMC 1.0) structure was released by the US Department of Defense (DoD) in January 2020. This approach was established to guarantee that the key categories of data were protected using proper cybersecurity initiatives:
Federal contract information (FCI) is defined as “data supplied by or produced for the Authorities underneath an agreement to establish or distribute a commodity or service to the Administration that is not meant for public release, but does not include data made available by the Government to the general populace or simple transaction-oriented details, such as data requested to process payments.”
CUI stands for “data that the administration generates or acquires, or that an entity generates or acquires for or on behalf of the state, and that a legislation, rule, or Government-wide strategy mandates or enables an agency to manage using safekeeping or distribution controls.”
Several Defense Industrial Base (DIB) businesses, on the other hand, claimed that CMMC 1.0 was excessively complicated and costly. The Department of Defense responded by releasing CMMC 2.0 in November 2021. CMMC 2.0 is a slimmed-down variation of the initial, with Stages 2 and 4 removed and the number of iterations reduced from five to three. The three levels are foundational, advanced, expert.
The CMMC 2.0 security maturity levels are determined by the type of data handled by DIB firms and DoD contractors. In other words, the higher the CMMC level necessary, the more vulnerable the information associated. Each level is linked with existing standards, such as the Federal Acquisition Regulation (FAR) and the National Institute of Standards of Technology (NIST), removing behaviors exclusive to CMMC 1.0.
Level 1 of CMMC 2.0: Foundational
This level, like CMMC 1.0 Level 1, concentrates on FCI safety. FCI, unlike CUI, is not deemed a security threat. As a result, if your organization wants to compete for DoD agreements that exclusively deal with FCI, you should strive for Level 1.
To acquire Level 1 accreditation, you must complete an annual self-evaluation and adhere to the 17 controls outlined in FAR 52.204-21, which outlines the fundamental cybersecurity procedures required to secure FCI.
CMMC 2.0 Level 2: Advanced
Like CMMC 1.0 Level 3, this level strives to protect CUI, which has a greater security need than FCI.
The sensitivity of CUI involvement is further classified by CMMC 2.0 into two categories: prioritized purchases and non-prioritized procurements. For instance, CUI connected to military hardware is classified as priority procurement, but CUI involved in military clothing is classified as non-prioritized procurement.
“Sensitive national security intelligence” is the name given to CUI that falls into the first category. If DoD companies manages such data, they must have it assessed every three years by a qualified CMMC third-party examiner (C3PAO). HOWEVER, for CUI that falls into the second group, yearly self-assessments will be sufficient.
On top of that, CMMC 2.0 Level 2 certification necessitates adherence with all 110 security principles outlined in NIST SP 800-171, which is 20 lesser than CMMC 1.0 Level 3 accreditation.
CMMC 2.0 Level 3: Expert
This category is for DIB businesses that collaborate with CUI on the Department of Defense’s highest-priority initiatives. CMMC 2.0 Level 3 concentrates on lowering the vulnerability of sophisticated recurrent threats, comparable to CMMC 1.0 Level 5. (APTs). Offenders with significant financial resources carry out an APT with the goal of obtaining extremely sensitive information such as nuclear power station plans or passwords for getting into DIB corporations’ IT systems.
To get this certification level, you must adhere to 110 CMMC 2.0 Level 2 controls as well as a fraction of NIST SP 800-172 procedures. Furthermore, rather than C3PAOs, you will be subjected to government evaluations.