CMMC 1.0 was initiated by the U.S. Department of Defense (DoD) to protect the DoD Controlled Unclassified Information (CUI) that exists throughout the Defense Industrial Base (DIB) from our adversaries who would like to steal or sabotage the data. 

The DoD initiated an internal review of the initial CMMC program leading to a refinement of the policy and program by cybersecurity leaders. As a result, The CMMC Standard was revised to 2.0 in November 2021. There are now 3 possible levels certification and the required level per vendor will be written in contracts by DoD.  These levels are determined based on data risk and the security controls are assigned based on this risk. Below are the level controls and the general applicability for reference:  

• CMMC Level 1 (ML1) Foundation: 17 practices. Could be applicable to a low-risk office supply vendor.  There is an option for self -determination by supplier. CMMC recommends suppliers still considering seeking  certification by an accredited C3PAO. 

• CMMC Level 2 (ML2) Advanced: 110 controls, including NIST SP 800-171. Applies to vendors with DoD prints and specifications – often flown down requirements to operations like a machine shop or other component and product manufacturers.  Suppliers required to achieve triennial certification by an accredited C3PAO. 

• CMMC Level 3 (ML3) Expert: 110 controls. This is applicable to a high-risk primary defense contractor such as Boeing, Lockheed Martin or Raytheon.  This level will be certified by US Government – DoD only. 

DoD suppliers must implement the relevant maturity level of the CMMC Standard as specified by DoD in their contracts once the program is released.