The Cybersecurity Maturity Model Certification (CMMC) framework, developed by the Department of Defense (DOD), defines three CMMC levels to strengthen cybersecurity across the defense industrial base (DIB). It has evolved to address many of the growing needs and cybersecurity practices for companies that are doing business with the federal government.
To get started on your journey to CMMC compliance, it’s important to ground yourself in a clear understanding of the NIST 800-171 controls. These controls form the backbone of CMMC Level 2 compliance.
How CMMC Got Started
In November 2010, President Barack Obama issued Executive Order 13556 establishing the Controlled Unclassified Information (CUI) program to standardize the handling of unclassified information requiring protection, educate the government on what CUI is, and act as a resource to understand what protections need to exist.
Then in October 2016, the DOD issued DFARS Clause 252.204-7012, requiring defense contractors to implement NIST SP 800-171 to protect CUI. A couple of months later, NIST SP 800-171 Rev. 1 was published establishing the implemented controls required to satisfy DFARS 252.204-7012. In February 2020, NIST SP 800-171 was again revised. This version, Rev. 2, was published and then subsequently updated in January 2021. While Rev. 3 of this standard was published in May of last year, DOD released a memo stating that this revision will not be required at this time. As it stands today, your certification focuses on Rev. 2.
Concurrently with the last two revisions to NIST 800-171, in September 2020 DOD published an interim rule to the DFARS, establishing CMMC 1.0, which was a five-level model. In November 2021, DOD announced CMMC 2.0 which further refined CMMC to three levels. When researching the controls, make sure that the resources reference the CMMC 2.0 model containing three levels.
Current CMMC Regulatory Landscape
That history brings us to recent developments. In December 2023, the Office of Information and Regulatory Affairs (OIRA) and the Office of Management and Budget (OMB) completed the review of the CMMC proposed rule, with the 60-day public comment period having closed on February 26, 2024. Comments will need to be reviewed before any more guidance comes from the DOD.
The final rule was submitted to OIRA in June 2024, cleared in September 2024, and published in The Federal Register on October 15. CMMC 2.0 was implemented on December 16, 2024. If you haven’t started already, you need to start engaging with your IT teams, examining your hiring practices, and implementing these compliance and technical controls.
What Are the Three CMMC Levels?
Your contract dictates which CMMC level you need to meet. Here are descriptions of each.
Level 1: Foundational – Protection of FCI: Entry-level certification and is required for all companies that handle FCI (Federal Contract Information). This level includes basic cyber hygiene practices. It focuses on safeguarding FCI and outlines 17 cybersecurity practices drawn from the FAR 52.204-21 (Federal Acquisition Regulation) and NIST SP 800-171.
Level 2: Advanced – Protection of FCI and CUI: This level includes 110 security requirements and 320 assessment objectives aligned with NIST SP 800-171. These practices include System Security Plan (SSP) development, access control implementation, and regular cybersecurity best practice training for employees. The certification process for Level 2 involves a review by a Cyber-AB certified assessor (C3PAO), who will verify that the company has implemented the required cybersecurity practices. Level 2 requires a lot of documentation—and it includes technical and administrative controls.
Level 3: Expert – Protection of FCI and CUI: This highest level is required for companies that handle CUI deemed the highest priority by the DOD. It builds upon the 110 security requirements from Level 2 and adds additional requirements from NIST SP 800-172. The CMMC Assessment guide for Level 3 is under development and has yet to be released.
About NIST 800-171 Controls
NIST 800-171 provides the framework for securing CUI within non-federal systems and organizations. It includes 14 control families with a total of 110 requirements and 320 objectives, addressing both technical and non-technical aspects of security. Meeting these controls requires thorough and precise documentation.
| Control Family | Number of Controls |
| Access Control | 22 |
| Awareness and Training | 3 |
| Audit and Accountability | 9 |
| Configuration Management | 9 |
| Identification and Authentication | 11 |
| Incident Response | 3 |
| Maintenance | 6 |
| Media Protection | 9 |
| Personnel Security | 2 |
| Physical Protection | 6 |
| Risk Assessment | 3 |
| Security Assessment | 4 |
| System and Communications Protection | 16 |
| System and Information Integrity | 7 |
In our next blog, we will discuss tips to achieve CMMC Level 2 compliance. In the meantime, if you have any questions about how we can help your organization navigate CMMC, contact us. We are CMMC experts, ready to guide you through the CMMC levels and help you meet your compliance goals.