CMMC 2.0 Model Structure

by | Nov 16, 2022 | CMMC | 0 comments

The Cybersecurity Maturity Model Certification (CMMC) 2.0 Model, as defined by the US Department of Defense (DoD), is a set of standards and practices for cybersecurity that defense contractors must follow in order to protect Controlled Unclassified Information (CUI) from cyber threats. The model is structured in five levels, but to simplify, I will explain the three main levels.

  • Level 1: Basic Cyber Hygiene – This level covers basic security measures such as password management, incident response and access controls. Defense contractors that handle unclassified data only and have minimal access to CUI will be required to meet level 1 standards.
  • Level 2: Good Cyber Hygiene – This level covers good security practices such as security awareness training, incident response planning, and security incident management. Defense contractors that process, store, or transmit CUI will be required to meet level 3 standards.
  • Level 3: Advanced/Progressive – This level covers advanced security measures such as continuous monitoring and penetration testing.

The CMMC 2.0 model also includes sub-categories that are divided by 17 domains, these domains are:

  • Access Control
  • Asset Management
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical Protection
  • Personnel Security
  • Recovery
  • Risk Management
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

Each level of the model requires defense contractors to meet different sets of security requirements, and each level is more stringent than the previous one. The DoD will require defense contractors to achieve a specific level of certification depending on the type of data and services they provide, and the defense contractor will have to be regularly assessed to ensure compliance.

Nimbus Logic has engineered a cloud-based service that will ensure CMMC 2.0 compliance across the Microsoft stack of technologies, along with enrolled workstations and mobile devices.  Click here to view details of Nimbus Logic’s Compliance-as-a-Service.

Read the latest updated CMMC 2.0 from the United States Department of Defense