Blog Post

Understanding the Basics of CMMC Level 2

Government Contracts Navigator

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1. In this post, we discuss the basics of CMMC Level 2.

What contracts will be subject to CMMC Level 2?

CMMC Level 2 will apply to all DoD contracts where the contractor will receive Controlled Unclassified Information (“CUI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. CUI is information that requires safeguarding or dissemination controls pursuant to applicable laws, regulations, and government-wide policies. The Government currently recognizes 20 categories of CUI, all of which are listed on the National Archives website. Those CUI categories include information related to defense, export-controlled information, intelligence, and procurements. While not as prevalent as Federal Contract Information, CUI is still often used in the performance of DoD contracts and DoD estimates that approximately 36 percent of defense contractors will obtain a CMMC Level 2 verification once the rule has gone into full effect.

To read the full post, please visit our Government Contracts Navigator blog.