If your company works with the Department of Defense (DoD), you’ve probably heard of the Cybersecurity Maturity Model Certification (CMMC). It’s a system designed to help companies protect sensitive government information. But what’s the difference between CMMC Level 1 and Level 2? Let’s break it down.
FCI vs. CUI: What Kind of Information Are We Talking About?
The DoD has many security levels for their information, and CMMC Level 1 and Level 2 focus on protecting two of them:
Level 1 is all about protecting Federal Contract Information (FCI), the basic information that accompanies defense contracts.
Level 2 is more advanced, focusing on Controlled Unclassified Information (CUI), which is more sensitive and needs stricter protection. CUI is typically the drawings or technical specifications you receive to manufacture a product.
Domains, Controls, and Objectives: What Are the Requirements?
The requirements for each level are very different:
Level 1 has 6 categories of security practices (called "domains") and includes 17 controls (specific security rules needed to follow).
Level 2 increases to 14 domains and has 110 controls, meaning more areas to secure and more rules to follow. These 110 controls include 320 specific objectives, which are the detailed steps organizations must take to stay compliant.
Who Does the Assessment?
One of the key differences between the two levels is how the assessments work:
Level 1 can be done with a self-assessment, where your company checks its own compliance. A company Affirming Official must submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 1 every year.
Level 2 usually requires an official assessment from a third-party assessor, called a Certified Third-Party Assessment Organization (C3PAO). A company Affirming Official must submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 every year.
How Often Do You Need an Assessment?
How often you need to be assessed also depends on the level:
Level 2: You’ll need a third-party assessment every three years to stay certified and a self-assessment every other year.
Level 1: You’re required to do a self-assessment every year.
In short, CMMC Level 2 has stricter rules and requires more security practices than Level 1. It’s designed to protect more sensitive information (CUI) and requires third-party assessments, while Level 1 focuses on protecting less sensitive information (FCI) and uses self-assessments. Knowing these differences will help you stay compliant and keep your DoD contracts in good standing.
Schedule a free 15-minute consultation with our cybersecurity experts to make sure you're working towards the right level and to answer your questions about starting your CMMC implementation.
About AXIOTROP, LLC:
AXIOTROP’s mission is to make cybersecurity accessible, attainable, and sustainable for small and medium-sized businesses so they remain competitive and poised for growth. We simplify cybersecurity by working closely with companies to right-size their program for their needs, resulting in client retention, business expansion, and reduced risk.
Comments