What is Needed for CMMC 2.0 Level 1 Compliance?

The Cybersecurity Maturity Model Certification (CMMC) was created by the U.S. Department of Defense (DoD) to protect sensitive information in the Defense Industrial Base (DIB). Its goal is to ensure contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) meet specific cybersecurity standards.

If you aren’t familiar with CMMC, check out our blog, How Manufacturers Can Get Secure and Avoid Government Risk with CMMC 2.0 Compliance, to learn what it is and why you’ll have to do it.

The original CMMC framework included five levels of compliance, each with increasing cybersecurity requirements. However, CMMC 2.0 (introduced in 2021 and finalized in October 2024) simplifies this framework by reducing the levels to three (Foundational, Advanced, and Expert) and aligning closely with established standards like NIST SP 800-171 and NIST SP 800-172. 

Level 1 (Foundational)
Self-assessment with 15 practices focused on basic cyber hygiene.

Level 2 (Advanced)
Alignment with 110 controls from NIST SP 800-171, requiring third-party assessments for most organizations.

Level 3 (Expert)
Based on NIST SP 800-172, requiring government-led assessments.

To ensure you’re on the easiest path to success, check out our on-demand webinar, How to Streamline Your CMMC 2.0 Compliance.

The CMMC 2.0 Implementation Timeline—Key Dates to Know

The CMMC 2.0 implementation is being rolled out in phases, giving manufacturers time to prepare. Here are the major milestones:

  • Phase 1: December 16, 2024
    Self-assessments become mandatory for all organizations handling FCI or CUI data. Contractors must demonstrate compliance with basic cyber hygiene practices or NIST SP 800-171 controls. Download a checklist of CMMC 2.0 Level 1 requirements.
  • Phase 2: December 2025
    Certain contracts will require third-party certifications (C3PAO) for Level 2 compliance. This phase focuses on contracts involving sensitive or critical defense information.
  • Phase 3: December 2026
    Full certification requirements will extend to all contracts requiring CMMC 2.0 compliance. Self-assessments will no longer suffice for most contracts.
  • Phase 4: Full CMMC 2.0 Compliance Across the DIB
    All contracts requiring CMMC 2.0 compliance will enforce certification, ensuring consistency and security throughout the DIB.

This phased approach provides contractors a clear roadmap for achieving compliance while minimizing disruptions.

FREE Self-Assessment Tool

DoD contracts issued after December 16, 2024, will include updated cybersecurity clauses reflecting the new CMMC 2.0 Level 1 structure and their respective requirements. To complete a CMMC 2.0 Level 1 self-assessment*, manufacturers should:

  1. Understand the CMMC 2.0 Level 1 Requirements
    Review the 15 requirements and ensure they are implemented across your systems.
  2. Prepare Your Documentation
    Maintain clear records of how your company addresses each practice.
  3. Conduct the Assessment
    Use tools like Carbide’s CMMC 2.0 Level 1 Assessment Questionnaire to evaluate your compliance.
  4. Submit Your Results
    Enter your assessment results in the Supplier Performance Risk System (SPRS).

If you’re preparing for CMMC 2.0 Level 1 compliance, Carbide has a free self-assessment tool to help you navigate the process. This tool provides step-by-step guidance and generates a report identifying gaps that must be addressed to meet the Level 1 requirements.

*For more guidance, consult resources such as the DoD’s CMMC documentation and self-assessment guides.

INTRODUCING

The ultimate platform for traceability, compliance, and control so you make it right every time.

Similar Posts