Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) program that serves as a framework to enforce Defense Federal Acquisition Regulation Supplement (DFARS) requirements as well as NIST SP 800-171 and 172. In order to better ensure national security, there are five distinct Levels of CMMC Certification:
Level 1 — defense contractors must exhibit basic cyber hygiene, to achieve CMMC Level 1 certification. This practice establishes a security foundation for the subsequent Levels of the model and must be completed by all certified organizations. Level 1, which includes 17 controls, is achievable for smaller companies and includes a subset of universally accepted common security practices. Organizations must demonstrate that they have implemented effective security controls and that they have the ability to protect Federal Contract Information (FCI). CMMC Level 1 is the basic DFARs cybersecurity clause in most DoD contracts.
Level 2 introduces maturity into CMMC. The two processes for CMMC Level 2 are to establish a policy around each of the CMMC domains and to document that your practices implement the policy. CMMC Level 2 also adds 55 practices on top of the 17 CMMC Level 1 practices, for a total of 72 cybersecurity controls. It is NOT expected that there will be many DoD contracts with a CMMC Level 2 requirement. CMMC Level 2 was designed as a bridging solution between CMMC Level 1 and Level 3.