The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework has three levels, each with distinct requirements and focuses:
- Level 1 (Foundational):
- Focus: Basic cyber hygiene.
- Requirements: 17 basic security practices derived from FAR 52.204-21, such as using antivirus software and limiting information access1.
- Assessment: Annual self-assessment.
- Purpose: Protects Federal Contract Information (FCI).
- Level 2 (Advanced):
- Focus: Intermediate cyber hygiene.
- Requirements: Aligns with NIST SP 800-171, involving 110 security practices2.
- Assessment: Triennial third-party assessment.
- Purpose: Protects Controlled Unclassified Information (CUI).
- Level 3 (Expert):
- Focus: Advanced/progressive cybersecurity practices.
- Requirements: Aligns with a subset of NIST SP 800-172 controls2.
- Assessment: Government-led assessments.
- Purpose: Protects highly sensitive information and supports critical national security priorities.
Each level builds upon the previous one, increasing in complexity and the rigor of cybersecurity practices required2. This tiered approach ensures that organizations can progressively enhance their cybersecurity posture based on the sensitivity of the information they handle.
