Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates
Client Alert | 1 min read | 11.13.19
Last week, the Defense Department (DoD) released Revision 0.6 to the Cybersecurity Maturity Model Certification (CMMC). Notably absent were revisions to Levels 4 – 5, which DoD promises in the next public release. While the final version of the CMMC is due in late January, Revision 0.6 updated CMMC Levels 1 – 3 by:
- Condensing the CMMC requirements;
- Modifying the practices and processes; and
- Providing clarifications and examples for CMMC Level 1 requirements.
Revision 0.6 also distilled the core requirements for Levels 1 – 3 into the following categories:
- Level 1 -- Basic cyber hygiene: Implementation of security controls in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems;
- Level 2 -- Intermediate cyber hygiene: Implementation of select NIST SP 800-171 controls; and
- Level 3 -- Good cyber hygiene: Full implementation of NIST SP 800-171 controls.
Industry will benefit from reviewing this latest draft and preparing for DoD’s pending implementation of the CMMC.
Contacts
Partner and Crowell Global Advisors Senior Director
- Washington, D.C.
- D | +1.202.624.2698
- Washington, D.C. (CGA)
- D | +1 202.624.2500
Insights
Client Alert | 3 min read | 05.19.26
According to the U.S. Supreme Court, freight brokers are the transportation industry’s “matchmakers, connecting sellers of goods to the carriers who move them.” Montgomery v. Caribe Transport II, LLC, No. 24-1238, slip op. at 1 (U.S. May 14, 2026). Those matchmakers now potentially face liability when they make a bad match.
Client Alert | 5 min read | 05.19.26
DOJ Continues Attempt to Block State-Court Climate Suits with Minnesota Complaint
Client Alert | 5 min read | 05.19.26
Navigating International Arbitration Disputes Ahead of the 2026 FIFA World Cup
Client Alert | 5 min read | 05.19.26
Qatar's Judicial Enforcement Law No. 4 of 2024: A Reminder of Qatar’s Landmark Reform
