With CMMC 2.0 coming quickly down the tracks, many organizations that do business with the Department of Defense (DoD) either directly or as a downstream contract are scrambling to figure out what they need to do to keep their contracts, and revenue, flowing.
CMMC 2.0 simplified the model from its predecessor in that it now has only 3 levels instead of 5.
To simplify the question, the level required for your organization will be determined by the kind of data that you receive, store, consume or create.
- Level 1 – Works with Federal Contract Information (FCI)
- Level 2 – Works with Controlled Unclassified Information (CUI)
- Level 3 – Works with CUI and Critical CUI
If you are still wondering which level applied to your organization, look at the bid documents and contracts that you receive. It should indicate what type of information is being shared with you. If it is still unclear, fear not; one of the requirements in the program is that all bids after the rule goes into full effect will be clearly marked for the type of information that is being consumed.