What is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) was created by the U.S. Department of Defense (DoD) to protect sensitive information in the Defense Industrial Base (DIB). Its goal is to ensure contractors handling federal contract information (FCI) and controlled unclassified information (CUI) meet specific cybersecurity standards.

The original CMMC framework included five levels of compliance, each with increasing cybersecurity requirements. However, CMMC 2.0, introduced in 2021 and finalized in October 2024, simplifies this framework by reducing the levels to three (Foundational, Advanced, and Expert) and aligning closely with established standards like NIST SP 800-171 and NIST SP 800-172. 

Updated CMMC Model (Source)

A breakdown of the three CMMC 2.0 compliance levels and their requirements:

• Level 1 (Foundational): Self-assessment with 15 practices focused on basic cyber hygiene.
• Level 2 (Advanced): Alignment with 110 controls from NIST SP 800-171, requiring third-party assessments for most organizations.
• Level 3 (Expert): Based on NIST SP 800-172, requiring government-led assessments.

CMMC 2.0 Implementation Timeline: Key Dates to Know

The CMMC 2.0 implementation is being rolled out in phases, giving organizations time to prepare. Here are the major milestones:

• Phase 1: December 16, 2024
    Self-assessments become mandatory for all organizations handling FCI (Level 1) or CUI (Level 2). Contractors must demonstrate compliance with basic cyber hygiene practices or NIST SP 800-171 controls.
• Phase 2: December 2025
    Certain contracts will require third-party certifications (C3PAO) for Level 2 compliance. This phase focuses on contracts involving sensitive or critical defense information.
• Phase 3: December 2026
    Full certification requirements will extend to all contracts requiring CMMC 2.0 compliance. Self-assessments will no longer suffice for most contracts.
• Phase 4: Full CMMC 2.0 2.0 Compliance Across the DIB
    All contracts requiring CMMC 2.0 compliance will enforce certification, ensuring consistency and security throughout the DIB.

This phased approach provides contractors with a clear roadmap for achieving compliance while minimizing disruptions.

Requirements to Meet CMMC 2.0 Compliance Level 1 (Foundational)

CMMC 2.0 Level 1 (Foundational) is the entry point for compliance, focusing on securing FCI. Organizations must meet 15 practices outlined in FAR Clause 52.204-21. Unlike higher levels, Level 1 allows for self-assessment, which must be completed annually and reported to the Supplier Performance Risk System (SPRS).

These 15 practices from the FAR Clause 52.204-21 are as follows:

1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify and control/limit connections to and use of external information systems.
4. Control information posted or processed on publicly accessible information systems.
5. Identify information system users, processes acting on behalf of users, or devices.
6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Implementing these controls ensures basic cyber hygiene, providing a foundational layer of security to protect FCI without requiring advanced capabilities and they are the minimal security practices that contractors need to implement to comply with the requirements of CMMC 2.0 Level 1.

DoD contracts issued after December 16, 2024, will include updated cybersecurity clauses reflecting the new CMMC 2.0 level structure and their respective requirements. 

If you’re preparing for CMMC 2.0 Level 1 compliance, Carbide’s CMMC 2.0 Level 1 Self-Assessment Tool can guide you through the process, ensuring you meet each of these 15 practices effectively. To successfully complete a CMMC 2.0 Level 1 self-assessment, organizations should:
1. Understand the Requirements: Review the 15 practices listed above and ensure they are implemented across your systems.
2. Prepare Your Documentation: Maintain clear records of how your organization addresses each practice.
3. Conduct the Assessment: Use tools like the Carbide’s CMMC 2.0 Level 1 Assessment Questionnaire to evaluate your compliance.
4. Submit Your Results: Enter your assessment results in the SPRS portal.

For more guidance, consult resources such as the DoD’s CMMC 2.0 documentation and self-assessment guides.

How Carbide Can Help with CMMC 2.0 Compliance Level 1 Self Assessments and More

CMMC 2.0 Level 1 Self-Assessment Questionnaire simplifies the process by guiding you through each requirement and delivering a report on any gaps you may have preventing you from complying with CMMC 2.0 Level 1 requirements. Carbide’s platform and advisory services are designed to help you achieve compliance at any CMMC 2.0 level you require.

Our automated tools streamline tasks like documentation and risk assessments, while our team of cybersecurity experts provides hands-on support to handle complex requirements. With Carbide, you can confidently meet your compliance goals without overburdening your internal resources.

Book a free consultation today to learn how we can help secure your business and meet your CMMC 2.0 compliance needs.