Compliance Glossary

CMMC 2.0 has three distinct security levels: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). The specific CMMC maturity level that your company needs to attain, along with the associated compliance, hinges on the sensitivity of the data set to handle. 

Level 1 (Foundational)

Level 1 emphasizes fundamental cybersecurity practices. Companies can implement these practices in an ad-hoc manner with minimal documentation. Certification at this level can be achieved through an annual self-assessment; third-party assessors do not evaluate process maturity.

Level 2 (Advanced)

Level 2 introduces a more structured approach, requiring organizations to document their processes for achieving CMMC Level 2 maturity. This documentation must enable users to replicate these processes effectively. Companies must rigorously adhere to their documented procedures to attain this level of maturity.

Level 3 (Expert)

At Level 3 of the CMMC model, the focus is on increasing the company’s defenses against advanced persistent threats (APTs). To achieve this, you must establish, maintain, and allocate resources for a comprehensive plan that oversees the implementation of cybersecurity practices. 

This plan includes various aspects, including setting goals, defining missions, managing projects, and more.