The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.

The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information (“FCI”) would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information (“CUI”) would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.

CMMC Level 1:

DOD’s CMMC Level 1 guidance confirms what contractors have already understood: A contract will require a CMMC Level 1 self-assessment if it requires the contractor to process, store, or transmit only FCI on the contractor’s information system. Stated another way, if the contractor does not receive CUI in connection with the contract, then the contractor will only need a CMMC Level 1 self-assessment to perform the contract. Thus, contractors that have not historically received CUI when supporting DOD may be able to continue their DOD work with only a CMMC Level 1 self-assessment.

CMMC Level 2:

CMMC Level 2 is unique among the CMMC Levels because it is the only level that is bifurcated into a self-assessment and certification. DOD’s new guidance outlines which contracts will require a CMMC Level 2 self-assessment, and which contracts will require a certification.

DOD contracts will require a CMMC Level 2 certification if the contractor will receive CUI that falls under the National Archive’s “Defense Organizational Index Grouping.” Recall that the National Archives groups CUI into one of 20 overarching organizational index groups. The Defense index group consists of five types of CUI: (1) Controlled Technical Information; (2) DoD Critical Infrastructure Security Information; (3) Naval Nuclear Propulsion Information; (4) Privileged Safety Information; and (5) Unclassified Controlled Nuclear Information – Defense. Thus, contractors who receive any of these five types of CUI should expect their future contracts to require a CMMC Level 2 certification.

DOD contracts will require a CMMC Level 2 self-assessment if the contractor will only receive non-Defense CUI. That is, if a contract involves CUI, but not the five types of CUI identified above, then the contractor will only need a CMMC Level 2 self-assessment. Contractors who do not regularly receive Defense-related CUI may be able to continue their DOD work with only a CMMC Level 2 self-assessment. Note, however, that if a contractor is willing to invest the resources needed to comply with Level 2’s security requirements, then it may be worth pursuing a certification if there is any chance the contractor may wish to pursue opportunities requiring a Level 2 certification.

CMMC Level 3:

DOD’s guidance cautions officials to “avoid overuse of the CMMC Level 3 requirement.” This is consistent with past statements from DOD, which emphasized that very few contracts will require a CMMC Level 3 certification. DOD’s guidance identifies three situations when a CMMC Level 3 requirement may be appropriate: (1) contracts where the contractor will receive CUI associated with a breakthrough, unique, and/or advanced technology; (2) contracts involving a significant aggregation or compilation of CUI in a single information system or IT environment; and (3) contracts where an attack on a single information system or IT environment would result in widespread vulnerability across DOD. Contractors who regularly support contracts involving research and development of new and sensitive DOD technology or who collect significant amounts of CUI during performance should explore whether to obtain a CMMC Level 3 certification.

Overall, contractors should pursue a CMMC level that is appropriate for the types of DOD information they receive and is consistent with their future business objectives. Most important, to avoid losing out on contracting opportunities, contractors should not delay identifying and obtaining their desired CMMC level.