What are the CMMC Levels?

What are the CMMC Levels?

With the introduction of CMMC 2.0, the Cybersecurity Maturity Model Certification (CMMC) was streamlined from five to three levels. The CMMC levels are:

1. CMMC 2.0 Level 1: Basic Safeguarding of FCI
   52. Requirements: Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.
2. CMMC 2.0 Level 2: Broad Protection of CUI
   1. Requirements:
      1. Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation.
      2. Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.

• Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

3. CMMC 2.0 Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats
   1. Requirements:
      2. Successfully demonstrate conformity with CMMC 2.0 Level 2.
      3. Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

• Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.