As you set your Cybersecurity Maturity Model Certification goals, it is important to have a solid grasp of the different compliance tiers available. For example, what is the difference between CMMC Level 1 and CMMC Level 2? In today’s blog post, we take a closer look.
About CMMC
The acronym CMMC stands for Cybersecurity Maturity Model Certification.
The Department of Defense (DoD) created CMMC as a framework designed to standardize and strengthen cybersecurity practices across the Defense Industrial Base (DIB).
Any contractor or subcontractor working with the DoD is required to comply with CMMC.
The Cybersecurity Maturity Model Certification comprises three progressive levels: Level 1 or Foundational, Level 2 or Advanced, and Level 3 or expert.
As we will see in the next sections, the CMMC level you need to achieve will depend on the type of information you are required to handle by a given contract, among other factors.
What Is CMMC Level 1?
CMMC Level 1 is focused on the protection of Federal Contract Information (FCI) and
encompasses the basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21.
The FAR defines FCI as “Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to
the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
CMMC Level 1 practices correspond to the basic safeguarding requirements outlined in 48 CFR 52.204-21, also known as the FAR Clause
What Is CMMC Level 2?
While CMMC Level 1 addresses FCI, CMMC Level 2 encompasses the protection of Controlled Unclassified Information (CUI).
CUI is defined by the National Archives and Record administration (NARA) as Information doesn’t warrant classified status but “requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies.”
CMMC Level 2 practices are aligned with the 110 security requirements specified in NIST SP 800-171 Rev 2.
CMMC Level 1 vs CMMC Level 2
The main difference between CMMC Level 1 and CMMC Level 2 is their focus.
CMMC Level 1 is geared toward Federal Contract Information while CMMC Level 2 is designed to protect Controlled Unclassified Information.
Another important difference between CMMC Level 1 and CMMC Level 2 is the number of practices you are required to implement in each case.
A CMMC practice is a cybersecurity control your organization needs to enact in order to comply with a CMMC Level. The higher the CMMC level, the more practices you will need to implement.
CMMC Level 1 consists of 17 practices, while CMMC Level 2 requires 110 practices.
The first two CMMC levels also differ in how certification is obtained. CMMC Level 1 certification is obtained through annual self-assessments, while CMMC Level 2 compliance is certified with triennial third-party assessments (and annual self-assessments for select programs).
To learn more about the considerations you need to make when choosing between CMMC Level 1 and CMMC Level 2, read our previous blog “What CMMC Level Do I Need?”
Need To Achieve CMMC Compliance? We Are Here To Help
Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.
Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.
Contact our CMMC Registered Practitioners today by clicking here.
Brea Networks, LLC / CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
Tel: (714) 592-0063
