Skip to content


TomCast LXXV

Hello, and welcome back to this next TomCast from Iron Bow Technologies; we are a leading global IT solution provider dedicated to innovation with integrity. We successfully transform today's technology challenges into business opportunities, helping our clients meet their missions while gaining a competitive edge. 

Today we’re going to discuss the Cybersecurity Maturity Model Certification, otherwise known as CMMC, the various certification levels, and what they mean. We will also discuss the differences between CMMC version 1.0, and version 2.0.

Ok, so to start off, what is CMMC and what is the purpose of it? The idea of CMMC originated back in 2010 in an effort to ensure that controlled unclassified information, or CUI, was protected while accessed, stored, and transmitted in order to align with Executive Order 13556. That executive order basically defined what CUI was and what it entailed, or (in other words) what data was considered controlled unclassified information and what wasn’t.

Oddly enough it took nine years for the idea to become a reality, with CMMC being developed with the Department of Defense to move suppliers away from self-assessments of NIST Special Publication 800-171 (why yes, TomCast 37 talks about that special publication as well if you would like to learn more). That publication contains 110 security controls across 14 specific control families. 

Anyway, getting back to CMMC, the certification levels originally created were levels one through five that specified an organizations cybersecurity posture in relation to those security controls. Those levels were Level 1 - Basic Cyber hygiene, Level 2 - Intermediate Cyber Hygiene, Level 3 - Good Cyber Hygiene, Level 4 - Proactive Cyber Hygiene, Level 5 - Advanced and Progressive Cyber Hygiene. All contractors were required to meet level 1, with compliance with higher levels dependent upon services being rendered where/what/why.

Per the Department of Defense, “in September 2020, the DoD published an interim rule to the DFARS (which stands for Defense Acquisitions Requisitions System) in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period”.

While this approach progressed, the CMMC process was tweaked and honed into CMMC 2.0, and the five levels were compressed into three. Those levels are Level 1 – Foundational, Level 2 – Advanced, and Level 3 – Expert. The Department of Defense defines CMMC 2.0 as “a program to reinforce the importance of DIB cybersecurity for safeguarding the information that supports and enables our warfighters”.

Interestingly, again per the Department of Defense’s website, it states “The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect. The Department intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation. While these rulemaking efforts are ongoing, the Department has suspended prior CMMC Piloting efforts”.

Here is a more in-depth definition of each level. Level 1 (foundational) contains 15 security control requirements and requires annual self-assessments and annual affirmation. Level 2 (advanced) contains 110 security control requirements and requires triennial third party assessment and affirmation for select programs. Level three, similar to level 2, contains 110 security control requirements (expert) and requires triennial third party assessment and affirmation across the board.

You’ll notice that level 2 and 3 contain 110 security control requirements, and if you remember earlier how many controls were in the NIST Special Publication 800-171, you’ll notice that 110 controls across 14 families make up that publication. So, levels 2 and 3 are compliant with NIST 800-171 in their respective areas.

If you have any questions surrounding CMMC, reach out to us over here at Iron Bow Technologies. We have the expertise to help you understand the requirements of the Department of Defense and how CMMC will benefit you and your organization. We’re also here to help any way we can to ensure your organization remains as secure as possible.

We here at Iron Bow thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on Or, if you would like more information on what Iron Bow can do for you, head on over to and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!