“The Department of Defense is drafting a new standard called the Cybersecurity Maturity Model Certification. This standard will replace NIST 800-171 on DoD RFIs and RFPs beginning in mid-2021. Unlike NIST 800-171, the CMMC will not contain a self-attestation component. Every organization that does business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before being awarded a contract or subcontracting to a prime.”
Katie Arrington OUSD (A&S), Professional Services Council “What Contractors Need to Know About DoD’s CMMC” Webinar, July 17, 2019
Based on version 1.02 of the CMMC, there are 5 levels, and each has its own specific set of controls that will be in scope for a CMMC audit. The CMMC is a foundation, and each level builds off the one prior.
- CMMC Level 1: This is essentially addressing FAR 52.204-21 cybersecurity principles.
- CMMC Level 2: This builds on CMMC Level 1 and addresses a little over half of NIST 800-171 controls.
- CMMC Level 3: This builds on CMMC Level 2 and addresses all NIST 800-171 and a few extras.
- CMMC Levels 4 & 5: CMMC Levels 4 & 5 build off CMMC Level 3 and include controls from a range of frameworks