A hierarchy of maturity levels based on project data security needs

CMMC 2.0 is an evaluation standard tied to NIST 800-171 controls governing the handling and protection of Controlled Unclassified Information (CUI) — data that, while not classified, is deemed by the DOD to be sensitive and critical to national security.

DOD suppliers will need to be certified to one or more of three escalating maturity levels:

Level 1 (Foundational) — 17 controls from NIST 800-171 focused on protecting Federal Contract Information (FCI); for suppliers with no CUI interaction

Level 2 (Advanced) — 110 controls from NIST 800-171 plus Level 1 controls for all suppliers of all sizes working with CUI

Level 3 (Expert) — 127 controls from Levels 1 and 2, plus additional requirements for suppliers working with CUI from the highest-security DOD programs — specific requirements still being determined, likely to include additional controls from NIST 800-172

All Defense Industrial Base suppliers will need to comply with CMMC

All DIB suppliers will need to comply with CMMC 2.0 once its requirements become part of DOD RFQs, RFPs and contracts. DIB suppliers include:

  • All DOD primes and subcontractors and their suppliers
  • All commercial companies/suppliers that store, process or transmit CUI
  • All non-U.S. DIB suppliers

All companies with a DFARS cybersecurity clause will need to undergo CMMC audits and assessments to validate their data security practices, performed by an independent, certified third-party organization like CyberSheath.

Arrows and dots

Every solution begins with a conversation.

Contact us today for a no-obligation discussion of CMMC 2.0 compliance, what's required, what you may need and what we can do to provide it. We've helped hundreds of DOD contractors. We can help you.