Cybersecurity Maturity Model Certification (CMMC)

The CMMC is a security framework that applies to US Department of Defense (DoD) contractors working with Controlled Unclassified Information (CUI). Version 2.0 was released in October 2024 and will begin rollout in 2025, with the intention to include CMMC compliance requirements in all DoD contracts by 2028. Magnitude 8 assists Australian businesses to be Defence-ready by assisting with NIST 800-171 and CMMC compliance.

Initially CMMC 1.0 was released in 2020 as a tiered model with 5 levels, however in version 2.0 this has been reduced to 3 levels. Level 1 is required if Federal Contract Information (FCI) is possessed but CUI is not possessed, transmitted or stored. Level 2 is the minimum level for the handling of CUI and includes all of the NIST 800-171 R2 requirements.

Level 1: Basic Safeguarding of FCI. Compliance with 15 security requirements and self-assessment on an annual basis.

Level 2: Broad Protection of CUI. Compliance with NIS 800-171 Revision 2. Assessment will need to be carried out every three years. This will be either self-assessed or by a third-party assessor and will depend on the type of CUI handled.

Level 3: Protecting CUI against Advanced Persistent Threats. Compliance with NST 800-171 and an additional 24 requirements from NIST 800-172.

For further information please see the CMMC information page provided by the Office of the Chief Information Officer for the U.S Department of Defense.

If you’d like to organise a meeting to find out more and meet our team, please contact us.