CMMC 2.0 Introduction


The theft of confidential information and intellectual property from all industries due to cyber attacks is a major threat to the economy and national security. In 2016, it was estimated that cybercrime cost the US economy anywhere from $57 billion to $109 billion according to the Council of Economic Advisors. Additionally, the Center for Strategic and International Studies estimated the worldwide cost of cybercrime was as much as $600 billion in 2017.


The Defense Industrial Base (DIB) sector and the Department of Defense (DoD) supply chain have been and continue to be targeted by malicious cyber actors. The DIB sector includes over 300,000 companies involved in supporting the military and in the development, production, and operation of DoD systems and services. The loss of information from the DoD supply chain puts the US's technical advancements and security at risk. To enhance the security of the DIB sector, the DoD is working with companies to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI is information generated or provided by the government under contract, while CUI is information requiring protection and control according to government policies and regulations.


To achieve this goal, the Office of the Under Secretary of Defense for Acquisition and Sustainment has created the Cybersecurity Maturity Model Certification framework with the involvement of the DoD, research centers, and the DIB sector.


The CMMC framework includes security requirements from NIST SP 800-171 Rev 2 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) and a portion of the requirements from NIST SP 800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information). This model arranges these practices into domains that align with the NIST SP 800-171 Rev 2 families. The CMMC framework includes three levels: Level 1, Level 2, and Level 3, as outlined in the following sections.

The CMMC model measures the implementation of cybersecurity requirements at three levels. Each level consists of a set of CMMC practices:

Level 1: Encompasses the basic safeguarding requirementsfor FCI specified in FAR Clause 52.204-21.

Level 2: Encompasses the security requirements for CUI specified in NIST SP 800-171 
Rev 2 per DFARS Clause 252.204-7012 [3, 4, 5].

Level 3: Information on Level 3 will be released at a later date and will contain a subset  of the security requirements specified in NIST SP 800-172 [6]. 

The CMMC levels and associated sets of practices across domains are cumulative. More  specifically, for an organization to achieve a specific CMMC level, it must also demonstrate achievement of the preceding lower levels. For the case in which an organization does not meet its targeted level, it will be certified at the highest level for which it has achieved all applicable practices.