Cybersecurity Maturity Model Certification (CMMC) Compliance

Cybersecurity Maturity Model Certification (CMMC) Compliance

Cybersecurity Maturity Model Certification (CMMC) is a program that the Department of Defense (DoD) uses to certify the cybersecurity status of businesses operating as suppliers and contractors within the Defense Industrial Base (DIB). CMMC provides certification via self-assessment at the lowest level or via external inspection and audit at two higher levels. CMMC 2.0 has three compliance levels:

Level 1 Foundational - for contractors who do not process or transmit Controlled Unclassified Information (CUI) but who do have access to Federal Contract Information (FCI). Level one requires that 17 cybersecurity practices get implemented, and there is an annual self-certification process to retain compliance.

Level 2 Advanced - the middle level aligns with the 110 controls and practices in NIST SP 800-171. These security controls and practices are requirements for any third-party organization working with CUI on Federal contracts. CMMC Level 2 compliance adds an additional external inspection and accreditation process so that the DoD can better ensure that information related to defense contracts has cybersecurity protections in place.

Level 3 Expert - the top level of compliance under CMMC builds on level 2 and requires the additional 35 enhanced security controls outlined in NIST SP 800-172. As with CMMC Level 2, there is a requirement for an external inspection and certification process to demonstrate compliance. The need to have Level 3 compliance (and therefore NIST SP 800-172) will be stipulated by the DoD or other overseeing organizations on a per-project basis.

Critical Insight contact background

Talk to one of our cybersecurity experts

245 4th St Ste 405Bremerton, WA 98337

Looking for careers?

View all job openings

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.