The Three Levels of CMMC 2.0

CMMC 2.0 is a major update to the previous version, CMMC 1.0, and introduces three distinct maturity levels that contractors must achieve to bid on DoD contracts. In our first blog post in this series on CMMC, we discussed its brief history, pushbacks and roadblocks, and why compliance will ultimately be a requirement. In this blog post, we will explore the three levels of CMMC 2.0 in detail, including what each level involves, the requirements for achieving each level, and the implications for cybersecurity practitioners.

Level 1: Basic Cyber Hygiene

Level 1 of CMMC 2.0 is focused on basic cyber hygiene and is designed to ensure contractors have basic cybersecurity controls in place to protect sensitive information. This level includes 17 basic cybersecurity practices, including antivirus software, access control, and incident response. These practices are intended to be easy to implement and serve as a foundation for higher maturity levels.

To achieve Level 1 certification, contractors must demonstrate that they have implemented all 17 basic cybersecurity practices. The certification process involves a self-assessment and an assessment by a third-party assessor. Once certified, contractors can bid on contracts that require Level 1 certification.

What cybersecurity practitioners should know about CMMC Level 1

While Level 1 may seem basic, it is still an important foundation for cybersecurity readiness. As cybersecurity practitioners, we should not overlook the importance of basic cybersecurity practices, as they can make a significant difference in protecting sensitive information from cyber threats. Additionally, we should focus on helping contractors implement these practices effectively and efficiently to minimize the burden on their organizations.

Level 2: Intermediate Cyber Hygiene

Level 2 of CMMC 2.0 builds on the basic cyber hygiene practices of Level 1 and adds additional cybersecurity controls to protect Controlled Unclassified Information (CUI). This level includes a total of 72 cybersecurity practices, including requirements for multi-factor authentication, encryption, and vulnerability scanning. To achieve Level 2 certification, contractors must demonstrate that they have implemented all 72 cybersecurity practices. The certification process involves an assessment by a third-party assessor. Once certified, contractors can bid on contracts that require Level 2 certification.

What cybersecurity practitioners should know about CMMC Level 2

Level 2 represents a significant step up in cybersecurity readiness, as it adds many additional controls beyond the basic practices of Level 1. Cybersecurity practitioners should focus on helping contractors implement these controls effectively and efficiently while minimizing the impact on their organization’s time commitment. This may require additional training and resources to ensure that contractors can meet the requirements of Level 2.

Level 3: Good Cyber Hygiene

Level 3 of CMMC 2.0 is designed to protect CUI from Advanced Persistent Threats (APTs) and includes a total of 130 cybersecurity practices. This level includes requirements for threat hunting, incident response planning, and employee awareness training.

To achieve Level 3 certification, contractors must demonstrate that they have implemented all 130 cybersecurity practices. The certification process involves an assessment by a third-party assessor. Once certified, contractors can bid on contracts that require Level 3 certification.

What cybersecurity practitioners should know about CMMC Level 3

Level 3 represents the highest level of cybersecurity maturity in the CMMC 2.0 framework. It includes many advanced controls and requires a significant investment in resources and training. Cybersecurity practitioners should focus on helping contractors build a strong cybersecurity culture that includes threat hunting, incident response planning, and employee awareness training. These practices can help contractors detect and respond to APTs before they can do significant damage.

Levels 1 and 2 Available in Axio360

Begin with a self-assessment

Levels 1 and 2 are available in the Axio360 platform, and the assessment interface is instantly familiar. CMMC 2.0 in Axio360 includes all the features our users have enjoyed while completing other compliance assessments, such as easy collaboration with other team members, such as assigning action items and notes to colleagues. Because Level 2 of CMMC 2.0 builds on the activities in Level 1, we enable you to rapidly continue your assessment journey in the platform with the ability to toggle between the levels rapidly.

POAMs are included in the Axio360 platform

Plans of Action and Milestones (POA&Ms) are a critical component of a CMMC compliance strategy. POA&Ms document corrective action plans for tracking and resolving information security and privacy weaknesses against CMMC requirements. The plans detail the gaps and intended remediations, resources (e.g., personnel, technology, funding) required to accomplish the plan, milestones for correcting the weaknesses, key stakeholders involved in the effort, and scheduled completion dates for the milestones. POA&Ms are included in the Axio360 platform to ease achieving level 1 and level 2 compliance.

A note about Level 3

Level 3 is in progress in the platform because rulings have not been finalized. Axio’s research and development team is actively involved in updating the platform as new information becomes available.

We welcome you to check our documentation portal for our latest updates.

Get Started with CMMC 2.0 Today

The CMMC 2.0 framework introduces three distinct maturity levels that contractors must achieve in order to bid on DoD contracts. Each level builds on the previous one and adds additional cybersecurity controls to protect sensitive information from cyber threats. By helping contractors implement the required cybersecurity controls, cybersecurity practitioners can help to ensure that sensitive information is protected from cyber threats.

The Cybersecurity Maturity Model Certification (CMMC) is available in the Axio360 platform. You can get started today by completing a Level 1 and Level 2 assessment—the core building blocks necessary to achieve compliance. Please contact us to discuss licensing options if you’d like to learn more about our CMMC offerings.