Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates
Client Alert | 1 min read | 11.13.19
Last week, the Defense Department (DoD) released Revision 0.6 to the Cybersecurity Maturity Model Certification (CMMC). Notably absent were revisions to Levels 4 – 5, which DoD promises in the next public release. While the final version of the CMMC is due in late January, Revision 0.6 updated CMMC Levels 1 – 3 by:
- Condensing the CMMC requirements;
- Modifying the practices and processes; and
- Providing clarifications and examples for CMMC Level 1 requirements.
Revision 0.6 also distilled the core requirements for Levels 1 – 3 into the following categories:
- Level 1 -- Basic cyber hygiene: Implementation of security controls in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems;
- Level 2 -- Intermediate cyber hygiene: Implementation of select NIST SP 800-171 controls; and
- Level 3 -- Good cyber hygiene: Full implementation of NIST SP 800-171 controls.
Industry will benefit from reviewing this latest draft and preparing for DoD’s pending implementation of the CMMC.
Contacts
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
- D | +1.202.624.2698
- Washington, D.C. (CGA)
- D | +1 202.624.2500
Insights
Client Alert | 5 min read | 02.23.26
UK Government Seeks Evidence on Ownership and Control in Financial Sanctions Regulations
The UK’s Office of Financial Sanctions Implementation (OFSI) has launched a call for evidence concerning the "ownership and control" test within UK financial sanctions. The call for evidence, running until 11:59 p.m. on 13 April 2026, seeks stakeholder views on the challenges and implementation of the "control" limb, with particular focus on its hypothetical element.
Client Alert | 4 min read | 02.20.26
Client Alert | 7 min read | 02.20.26
Section 5949 Proposed Rule Puts the FAR Council's Chips on the Table
Client Alert | 5 min read | 02.20.26
Trump Administration Pursues MFN Pricing for Prescription Drugs
