April 18, 2025
I've been in your shoes, and I know how overwhelming it can feel.
The DoD just released the final rule in October 2024, and many organizations are scrambling to understand what's changed.
Today, I'm breaking down everything you need to know about the updated CMMC framework in plain English.
Here's what you'll learn:
The Cybersecurity Maturity Model Certification (CMMC) has evolved significantly since its introduction.
The current version (2.13) was finalized in October 2024 with the publication of the final rule in the Federal Register.
This framework is designed to protect sensitive defense information across the Defense Industrial Base (DIB).
The model is hierarchical, meaning each level builds upon the previous one.
Let's break down what each level requires.
CMMC Level 1 applies to organizations that handle Federal Contract Information (FCI).
This is the baseline level that approximately 63% of DIB organizations will need to implement.
Level 1 includes 15 basic cybersecurity requirements derived from FAR 52.204-21.
Think of this as the security foundation every contractor needs to establish.
For example, one requirement is performing basic system maintenance on your organizational systems.
This might seem simple, but documenting that you're doing it consistently is crucial for certification.
If your organization handles Controlled Unclassified Information (CUI), you'll need to meet CMMC Level 2.
This level encompasses all 15 requirements from Level 1 plus an additional 95 requirements.
That's a total of 110 requirements derived from NIST SP 800-171 Rev 2.
These requirements span across multiple domains including access control, maintenance, and incident response.
For instance, in the Maintenance domain alone, there are six specific requirements your organization must implement.
The good news? You only need to meet 80% of these requirements (88 out of 110) to achieve certification.
Any gaps can be addressed through a Plan of Action and Milestones (POA&M), but you'll have just 180 days to resolve them.
CMMC Level 3 is reserved for organizations handling the most sensitive CUI related to high-value assets or critical defense programs.
Less than 1% of DIB organizations will need this level of certification.
Level 3 includes all 110 requirements from Level 2 plus 24 additional requirements from NIST SP 800-172.
These enhanced controls are specifically designed to protect against Advanced Persistent Threats (APTs).
Unlike Levels 1 and 2, assessments at Level 3 will be government-led rather than conducted by third-party assessment organizations.
Similar to Level 2, you'll need to meet 80% of the Level 3-specific requirements (19 out of 24).
2. Conduct a gap assessment
3. Develop implementation plans
4. Document your policies and procedures
5. Train your staff
6. Prepare for assessment
Navigating the CMMC requirements might seem daunting at first glance.
But with a systematic approach, you can achieve certification without unnecessary stress.
Remember that the goal isn't just checking boxes—it's genuinely improving your security posture to protect sensitive defense information.
Today, you've learned about the three CMMC levels, their specific requirements, and practical steps to prepare for certification.
The defense industrial base is counting on contractors like you to strengthen our national security through robust cybersecurity practices.
Are you ready to take on the challenge?