CMMC Levels Explained: Domains & Control Requirement Guide

Since the beginning of 2022, much has changed – and more is likely to change – with the scope of the Department of Defense (DoD) CMMC levels and security requirements.

 In an effort to streamline processes and help defense contractors, CMMC dropped the initial five levels to three.

But what are those changes and why should you be concerned?

In this article, we will explain what the CMMC framework is, the various levels and security domains, and a summation of the intent behind each CMMC control family.

 

CMMC Levels Explained: Domains & Control Requirement Guide

CMMC Levels Explained

The Cybersecurity maturity model certification framework was born as a result of a realization by DoD that the Defense Industrial Base (DIB) ability to self-assess was failing and DIB members were overwhelmingly unprepared and not appropriately resourced to handle a compliance program.

 

The CMMC model started as a result of Executive Order 13556 signed by President Obama in 2010, directing all Federal agencies to safeguard their Controlled Unclassified Information (CUI).

Why is the CMMC framework in place?

The DoD went through the rule-making process and published DFARS Clause 252.204-7012 requiring Defense Contractors and supply chains to provide adequate security to safeguard covered defense information; report cyber incidents, submit malicious software discovered to DoD Cyber Crime Center, submit media and additional information to support a damage assessment, and flow down the clause to your subcontracts.

A common question we are asked repeatedly is; “Do the DFARS 7012 and CMMC requirements apply to my company?” The short answer is yes with a few exceptions. First, if you only sell to the DoD through micro-purchase agreements as well as only deliver Commercial Off-the-Shelf (COTS) products you are most likely exempted. However, we would always caution and ask your Contracting Officer or representatives for clarification.

The Catch-22 to this issue is if you sell through a large prime contractor, they may require you to meet a minimum cybersecurity standard – such as CMMC Level 1 or CMMC Level 2 – to remain compliant with the flow-down rule in DFARS 7012 clause. Based on our experience and current observations, the probability of prime contractors managing multiple compliant verifications for their supply chain is highly unlikely and will be forcing their supply chain to meet the higher watermark to simplify and manage their own compliance program.

CMMC compliance at its core is not about compliance but a program that has been established to provide proactive protection measures against Advance Persistent Threat types such as:

Nation states – targeting military technologies for a competitive edge on the battlefield.

Terrorist and other non-governmental organizations – targeting to learn ways to defeat our countermeasures on the battlefield.

Criminals – targeting to steal our IP and disrupt economic activity.

Contact Us for CMMC Level 1, Level 2, Level 3 Compliance Solutions

Contact Us
CMMC Levels Explained: Domains & Control Requirement Guide

What are the CMMC levels?

DoD has recently streamlined the CMMC process calling it CMMC 2.0. This resulted in the elimination of CMMC levels 2 and 4 leaving only three levels (Levels 1, 2, and 3) under the new CMMC framework to streamline the maturity processes.

 

DoD Contractors that have the DFARS 7012 in their DoD contracts are required to meet the additional safeguards defined within the 7012 clause as well as 48 CFR 52.204-21 referred to the Federal Acquisition Regulation clause.

CMMC Level 1

CMMC Level 1 is intended to implement basic cyber hygiene to meet 17 foundational CMMC requirements intended to protect Federal Contract Information (FCI). These requirements are derived from the National Institute for Standards and Technology (NIST) Special Publication 800-171. NIST SP 800-171 defines the requirements and objectives for DoD Contractors to implement.

Learn More

CMMC Level 2

CMMC Level 2 under CMMC 2.0 program aligns with NIST 800-171 110 security controls designed to protect CUI. This level is designed to achieve advanced cybersecurity practices to deter and prevent Advanced Persistent Threats (APTs) and non-state actors from compromising Defense Contractors’ information systems.

Learn More

CMMC Level 3

CMMC Level 3 will be reserved for the most sensitive types of CUI that could cause the most damage to U.S. national security interests. Although the cybersecurity requirements haven’t been finalized or released as of yet, CMMC 3 is considered to be an expert implementation of a subset of requirements derived from NIST SP 800-172.

Learn More
CMMC Maturity Levels

What are the 14 CMMC domains & related CMMC standards?

  • Access Control (AC)
  • Awareness & Training (AT)
  • Audit & Accountability (AU)
  • Configuration Management (CM)
  • Identification & Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Risk Assessment (RA)
  • Security Assessment (CA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)
CMMC Levels Explained: Domains & Control Requirement Guide

CMMC level 1 requirement

CMMC level 1 security controls provide good cyber hygiene when handling FCI. DoD prime contractors and subcontractors are required to perform annual self-assessments and self-attestation that they meet these basic control to be admitted to the CMMC program and reach higher-level controls.

 

CMMC level 1 controls

CMMC Levels Explained: Domains & Control Requirement Guide

CMMC level 2 requirements

CMMC Level 2 addresses the protection of Controlled Unclassified Information (CUI), which the National Archives and Record Administration (NARA) defines as:

Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.

 

CMMC level 2 controls

Contractors who have CMMC Level 2 compliance require a CMMC Level 2 certification. This CMMC assessment must be conducted by a Certified Assessor and a CMMC Third-Party Assessment Organization (C3PAO).

CMMC Levels Explained: Domains & Control Requirement Guide

CMMC level 3 requirements

The CMMC level 3 assessment guide focuses on Advanced Persistent Threat (APT) mitigation and is used for the DoD’s highest levels.

 

CMMC level 3 controls

Please note that CMMC Level 3 has not been finalized as of November 22, 2022, and the below standards are referring to NIST 800-172 which DoD indicated it will derive from to establish CMMC enhanced security controls.

As such, the following are the proposed level three controls:

Let us help you identify which of the CMMC maturity levels is right for you!

CMMC implementation requires a detailed action plan, an intermediate cyber hygiene level, and expert CMMC consultants to roll out and remain compliant.

Download our fact sheet
×

for a complete list of standards for each level, and then reach out to us for any further questions or help to upgrade the cybersecurity program for your organization.