Welcome to ITS! Learn more about our strategic partnership with Afineol!

Dyan Sheryl Carolino

By: Dyan Sheryl Carolino on September 11th, 2024

Print/Save as PDF

The Ultimate Guide to the CMMC 2.0 Certification Levels

Compliance

Are you trying to make sense of the new CMMC 2.0 framework? If your business contracts with the Department of Defense (DoD) or operates in a sector requiring strict cybersecurity measures, understanding CMMC 2.0 is essential.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 introduces a streamlined approach to cybersecurity, ensuring that companies protect sensitive data while meeting DoD standards. But what are the levels of certification, and how can your business achieve compliance? 

As experts in IT compliance and cybersecurity, Intelligent Technical Solutions (ITS) has helped organizations navigate the complexities of CMMC requirements, from initial assessments to achieving full certification. Our deep understanding of the CMMC framework allows us to guide businesses through the process efficiently and effectively.

In this article, we'll break down the following: 

  1. What is CMMC 2.0?
  2. Why CMMC 2.0 Matters
  3. Breakdown of CMMC 2.0 Levels
  4. The 17 Core Security Domains of CMMC 2.0
  5. Timeline for CMMC 2.0 Implementation
  6. How to Achieve CMMC 2.0 Compliance

By the end, you'll have a solid understanding of where your business stands and what actions are necessary to meet these critical cybersecurity standards. 

What is CMMC 2.0? 

Business professionals discuss CMMC 2.0 compliance outdoors, examining documents

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the latest version of the DoD's cybersecurity framework. It was introduced to simplify the certification process, reduce barriers to compliance, and better align with existing federal cybersecurity requirements. CMMC 2.0 aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Defense Industrial Base (DIB). 

Unlike the original CMMC, which had five levels, CMMC 2.0 has consolidated the levels into three, focusing on fewer and more clearly defined requirements. These levels are designed to ensure that all contractors working with the DoD implement the necessary cybersecurity practices to protect sensitive information. 

Why CMMC 2.0 Matters 

CMMC 2.0 is not just about meeting regulatory requirements—it's about safeguarding your business from cybersecurity threats. Compliance with CMMC 2.0 is mandatory for organizations working with the DoD. Failure to comply can result in lost contracts and other significant consequences. Achieving the appropriate CMMC 2.0 level ensures your business is protected, competitive, and trusted by partners and customers. 

Breakdown of CMMC 2.0 Levels 

Infographic detailing CMMC 2.0 levels for federal contract information and unclassified information

Level 1: Foundational 

CMMC Level 1, also known as the Foundational level, focuses on basic cybersecurity practices. It includes 17 practices derived from Federal Acquisition Regulation (FAR) Clause 52.204-21, designed to protect FCI. These are straightforward practices that are essential for any organization handling federal data. 

Key Requirements

  • Regular updates to antivirus software 
  • Implementation of basic access controls 
  • Basic network security measures, such as firewalls 
  • Practices that meet the basic safeguarding requirements described in 48 CFR 52.204-2 

Who Needs It? 

This level is required for organizations that handle Federal Contract Information (FCI) and need to demonstrate fundamental cybersecurity practices to the DoD. According to Acquisition.gov, FCI is “information not intended for public release [that] is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.  

Can You Achieve It on Your Own? 

Yes, companies can achieve CMMC Level 1 on their own. Certification for Level 1 requires annual self-attestation, meaning there’s no need for a third-party auditor to assess your compliance. Your business will simply need to review its own practices each year and confirm that all required cybersecurity measures are in place.

Level 2: Advanced 

CMMC 2.0 Level 2 is focused on more advanced cybersecurity measures to protect Controlled Unclassified Information (CUI). This level includes the 110 practices aligned with the National Institute of Standards and Technology (NIST) SP 800-171. These practices are designed to protect CUI and ensure a more robust cybersecurity posture.

What is CUI? 

Controlled Unclassified Information (CUI) refers to sensitive data that, while not classified, still requires protection according to federal regulations. This can include technical details, project plans, or other information that, if compromised, could harm national security or business interests. 

Key Requirements

  • Implementation of multi-factor authentication 
  • Regular system audits and monitoring 
  • Enhanced incident response capabilities 
  • Access control and configuration management 

Who Needs It? 

Organizations handling CUI and working with the DoD must achieve Level 2 to demonstrate their ability to protect sensitive information effectively. 

Can You Achieve It on Your Own? 

No. While some companies may have the internal resources to implement these practices, achieving Level 2 requires assistance from an external auditor, especially for the formal assessment process. This external audit is mandatory, and your company will need to undergo an audit every three years to maintain compliance.  

You may need assistance from the following: 

  • C3PAO (Certified Third-Party Assessment Organization): To achieve Level 2 certification, organizations must undergo an assessment by a C3PAO. This external auditor is responsible for verifying that your organization meets all the required practices. 
  • Cybersecurity Consultants: Many organizations opt to work with a consultant to help prepare for the assessment, implement necessary practices, and ensure all documentation is in order. 

Additionally, consultants and auditors must be separate entities. While some companies offer both consulting and auditing services, they cannot perform both roles for the same client due to potential conflicts of interest. You can hire a consultant to help prepare for the audit, but a different C3PAO must conduct the actual certification. 

Level 3: Expert 

CMMC 2.0 Level 3 is designed for organizations that require the highest level of cybersecurity. It covers all the necessary security requirements from NIST SP 800-171, with the addition of the other 20 practices added for level 2 and requirements beyond NIST SP 800-171 like reporting security incidents. 

Key Requirements

  • Continuous monitoring and assessment of cybersecurity practices 
  • Advanced threat detection and response systems 
  • Rigorous risk management and incident response protocols 

Who Needs It? 

This level is intended for organizations that handle highly sensitive CUI and face the most significant cybersecurity risks, such as those in critical infrastructure or high-value assets. 

Can You Achieve It on Your Own?  

No. Level 3 certification requires a government-led assessment, meaning an external C3PAO cannot conduct the audit. The assessment will be carried out by a designated government department, which ensures compliance with the strictest cybersecurity standards. This assessment will need to be conducted every three years. 

The 17 Core Security Domains of CMMC 2.0 

A critical component of CMMC 2.0 is its focus on 17 core security domains, which cover a comprehensive range of cybersecurity practices. Understanding these domains is essential for ensuring your organization meets the necessary requirements at each CMMC 2.0 level. 

CMMC 2.0 incorporates existing federal regulations regarding cybersecurity, such as 48 CFR 52.204-21, DFARS clause 252.204-7012, NIST SP 800-171, and NIST SP 800-172, into a single set of best practices. It categorizes these practices into 17 domains, with 43 capabilities created to simplify the design of a CMMC cybersecurity program. The capabilities a contractor must demonstrate depend on their required CMMC level. 

The data below itemizes the 43 CMMC capabilities and their association with the 17 domains of the CMMC 2.0 model: 

  1. Access Control (AC) - Managing who has access to information and systems.
  2. Asset Management (AM) - Tracking and managing the assets that contain sensitive information.
  3. Audit and Accountability (AU) - Keeping records of who accesses systems and data, and being able to trace actions to individuals.
  4. Awareness and Training (AT) - Educating employees on cybersecurity risks and best practices.
  5. Configuration Management (CM) - Maintaining security settings and system configurations.
  6. Identification and Authentication (IA) - Ensuring that users are who they say they are before granting access.
  7. Incident Response (IR) - Preparing for, detecting, and responding to cybersecurity incidents.
  8. Maintenance (MA) - Performing regular maintenance on systems to ensure they remain secure.
  9. Media Protection (MP) - Protecting and controlling access to both digital and physical media.
  10. Personnel Security (PS) - Ensuring that only trusted individuals have access to sensitive information.
  11. Physical Protection (PE) - Safeguarding physical access to IT systems and data storage areas.
  12. Recovery (RE) - Planning for and recovering from cybersecurity incidents.
  13. Risk Management (RM) - Identifying, evaluating, and mitigating risks to organizational operations.
  14. Security Assessment (CA) - Regularly testing and evaluating security controls to ensure they are effective.
  15. Situational Awareness (SA) - Maintaining a clear understanding of the organization’s security posture and potential threats.
  16. System and Communications Protection (SC) - Ensuring that systems and communications are protected from unauthorized access.
  17. System and Information Integrity (SI) - Protecting against unauthorized changes to systems and information.

These domains collectively ensure a robust cybersecurity posture by addressing every aspect of security, from access controls to incident response and recovery. Depending on the CMMC 2.0 level your organization is aiming for, you will need to implement practices across these domains to achieve and maintain compliance. 

Business planning with a focus on CMMC 2.0 compliance, calendar and hourglass on table

Timeline for CMMC 2.0 Implementation 

Understanding the timeline for CMMC 2.0 implementation is critical for planning your organization’s compliance efforts. The rollout of CMMC 2.0 is being phased in over several years, with key milestones that businesses must be aware of. 

1. Initial Announcement and Interim Rule (2021-2022) 

CMMC 2.0 was announced in November 2021, with the goal of streamlining the original model and making it more accessible. During this period, the DoD introduced an interim rule allowing organizations to voluntarily comply with CMMC 2.0 requirements. 

2. Rulemaking Process and Finalization (2023) 

Throughout 2023, the DoD has been working on finalizing the rulemaking process for CMMC 2.0. This includes defining the final requirements and guidelines that organizations must follow to achieve certification. The rulemaking process is expected to be completed by the end of 2023, at which point the finalized CMMC 2.0 requirements will be officially published. 

3. Initial Assessments and Voluntary Compliance (2024) 

Starting in early 2024, the DoD will begin conducting initial assessments under the CMMC 2.0 framework. While these assessments will be voluntary at first, they will give organizations a chance to test their readiness and make any necessary adjustments before the requirements become mandatory. 

4. Mandatory CMMC 2.0 Compliance (Late 2024 - 2025) 

By late 2024 or early 2025, CMMC 2.0 compliance will become mandatory for all organizations handling FCI and CUI. At this point, any business seeking to win or maintain DoD contracts will need to be certified at the appropriate CMMC 2.0 level. 

5. Ongoing Updates and Continuous Monitoring 

Even after achieving certification, organizations will need to engage in continuous monitoring and regular updates to maintain compliance. The CMMC 2.0 framework is designed to evolve with the changing cybersecurity landscape, meaning businesses must stay vigilant and proactive in their cybersecurity efforts. 

Understanding this timeline allows your organization to plan and allocate resources effectively to meet CMMC 2.0 requirements. Starting early and staying informed about updates will be key to ensuring a smooth transition to full compliance. 

How to Achieve CMMC 2.0 Compliance 

Achieving CMMC 2.0 compliance involves several steps, from understanding the requirements to preparing for a third-party assessment. Here's how you can get started: 

1. Conduct a Gap Analysis 

Start by assessing your current cybersecurity practices against the requirements of the CMMC 2.0 level you need to achieve. Identify gaps and areas for improvement. 

2. Implement Required Practices 

Based on your gap analysis, implement the necessary cybersecurity measures. This may involve upgrading your systems, training your staff, or adopting new technologies 

3. Document Your Practices 

CMMC 2.0 requires thorough documentation of all cybersecurity practices. Ensure that your policies, procedures, and controls are well-documented and easily accessible for assessment. 

4. Prepare for Assessment 

For Level 2, organizations must undergo an assessment by a certified third-party organization (C3PAO), and for Level 3, a government-led department. Ensure that your systems are fully operational and compliant before the assessment. 

5. Maintain Compliance 

CMMC 2.0 is not a one-time certification. Continuous monitoring, regular updates, and ongoing training are essential to maintain compliance and protect your organization from emerging threats. 

Business team in a modern office setting discussing strategies for CMMC 2.0 compliance levels

Running Out of Time with CMMC 2.0? 

CMMC 2.0 represents a significant shift in the way the DoD approaches cybersecurity. By streamlining the certification process and focusing on fewer, more defined levels, it provides a clear path for organizations to protect sensitive information and secure government contracts. Understanding and achieving the appropriate CMMC 2.0 level is crucial for any business working with the DoD. 

As cyber threats continue to evolve, staying compliant with CMMC 2.0 not only ensures that you meet regulatory requirements but also strengthens your overall security posture. Start preparing today to protect your business and secure your place in the defense supply chain. 

For a deeper dive into how to prepare for your CMMC 2.0 assessment, schedule a meeting with one of our consultants. You may also visit our Compliance page or check out our Learning Center resources: