Cybersecurity Maturity Model Certification (CMMC) Model Overview

The Cybersecurity Maturity Model Certification (CMMC) Model Overview outlines the Department of Defense’s approach to assessing the cybersecurity of its contractors.

CMMC is divided into three levels based on the sensitivity of information and required security measures:

• Level 1 (Foundational): Focuses on protecting Federal Contract Information (FCI) using 15 basic safeguarding practices from FAR 52.204-21. Requires an annual self-assessment with senior official affirmation.

• Level 2 (Advanced): Applies to contractors handling Controlled Unclassified Information (CUI) and aligns with NIST SP 800-171 (110 practices). Requires:

  • Self-assessment for non-prioritized acquisitions involving CUI.

  • Third-party or government-led assessment for prioritized acquisitions with higher risk.

• Level 3 (Expert): Designed for highly sensitive CUI environments, incorporating additional practices from NIST SP 800-172, and requires triennial government-led assessments.

This tiered model ensures contractors apply cybersecurity controls in proportion to the level of risk and type of federal information they manage.

https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverviewv2.pdf