Cyber attacks and the threat of intellectual property threaten our economy and national security. According ro research from Check Point Security one out of every 61 organizations worldwide gets impacted by ransomware. Attacks on educational and research organization increased 75% in 2022. Attacks on the Government and militaries of the world rose 47% and attacks on Managed Service Providers rose 67%. Attacks in the United States rose 97%. The cost of this crime, according to the Center for Strategic and International Studies surpassed $600 billion in 2017. Given the sharp rise in attacks in 2021 this number must far exceed one trillion dollars.

The Department of Defense created the Cybersecurity Maturity Model Certification to help protect our the data contractors hold from from this constant barrage of attacks. Before CMMC, and since 2017 contracts had to self-attest to their compliance to the NIST-SP-800-171 Rev 2 cybersecurity Maturity Model Certification framework uses the security requirements of NIST-SP-800-171 Rev 2 Protecting Controlled Unclassified Information in Non-federal Systems and Organizations.

CMMC introduces ways to increase trust in those assessments by utilizing third party assessors.

CMMC Model

Cybersecurity Maturity Model Certification framework uses the security requirements of NIST-SP-800-171 Rev 2 Protecting Controlled Unclassified Information in Non-federal Systems and Organizations, and a subset of the requirements from NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.

CMMC 2.0

The framework organizes the requirements into Domains which map identically to the families of 171. The need to meet specific practices, which match the security requirements of 171, occur at three different levels.

  • Level 1:Basic safeguarding requirements for FCI specified in FAR Clause 52.204-21
  • Level 2: Security Requirement of NIST-SP-800-171
  • Level 3: Yet releases subset of security requirements specified in NIST SP 800-172

Again in the CMMC framework we call these security requirements practices. Each practice gets met by meeting all the assessment objectives, which match perfectly to the determining statements of NIST-SP-800-171a.

Practices and Assessment Objectives

At Level One the CMMC framework contains 17 practices to meet the fifteen basic safeguarding requirements needed to protect Federal Contract Information. This requires a contractor to meet fifty-nine assessment objectives.

At Level Two you need to meet the baseline to protect Controlled Unclassified Information per DFARS Clause 252.204-7012 as laid out in NIST-SP-800-171. This requires 110 practices and 320 assessment objectives.

At Level Three a subset of security requirements from NIST-SP-800-172 will get selected. This will occur at a later date and may vary by contract. The Government can always require additional requirements in contracting.

The levels in the framework, moving from Foundation, to Advance and then Expert are cumulative. This means level three encompasses all the security requirements of level two and three.


As the levels of the CMMC framework increases the required trust need in the assessment also goes up. At Level One a company self-assesses to the 17 practices and 59 assessment objectives.

At Level Two a company conducts a triennial third party assessment from a Certified Third Party Assessor occurs for the 110 practices and 320 assessment objectives. Remember this includes everything from level one. A select number of contracts may include self-assessment at Level Two.

At Level Three the government will come in and provide an additional assessment of any requirements selected from 172. A company will undergo a Level Two assessment from a C3PAO first. They must have a level two certificate before seeking a level three certificate.