The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information (“FCI”) would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information (“CUI”) would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.
CMMC Level 1:
DOD’s CMMC Level 1 guidance confirms what contractors have already understood: A contract will require a CMMC Level 1 self-assessment if it requires the contractor to process, store, or transmit only FCI on the contractor’s information system. Stated another way, if the contractor does not receive CUI in connection with the contract, then the contractor will only need a CMMC Level 1 self-assessment to perform the contract. Thus, contractors that have not historically received CUI when supporting DOD may be able to continue their DOD work with only a CMMC Level 1 self-assessment.
To read the full post, visit our Government Contracts Navigator blog.
