1. Home
  2. |Insights
  3. |Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates

Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates

Client Alert | 1 min read | 11.13.19

Last week, the Defense Department (DoD) released Revision 0.6 to the Cybersecurity Maturity Model Certification (CMMC). Notably absent were revisions to Levels 4 – 5, which DoD promises in the next public release. While the final version of the CMMC is due in late January, Revision 0.6 updated CMMC Levels 1 – 3 by:

  • Condensing the CMMC requirements;
  • Modifying the practices and processes; and
  • Providing clarifications and examples for CMMC Level 1 requirements.

Revision 0.6 also distilled the core requirements for Levels 1 – 3 into the following categories:

  • Level 1 -- Basic cyber hygiene: Implementation of security controls in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems;
  • Level 2 -- Intermediate cyber hygiene: Implementation of select NIST SP 800-171 controls; and
  • Level 3 -- Good cyber hygiene: Full implementation of NIST SP 800-171 controls.

Industry will benefit from reviewing this latest draft and preparing for DoD’s pending implementation of the CMMC.

Insights

Client Alert | 5 min read | 07.14.25

The European Commission issues competition guidance in the transport sector

On July 9, 2025, the Directorate-General for Competition within the European Commission issued two informal guidance letters, both intended to bring increased clarity on competition law compliance to companies in the transport sector....