1. Home
  2. |Insights
  3. |Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates

Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates

Client Alert | 1 min read | 11.13.19

Last week, the Defense Department (DoD) released Revision 0.6 to the Cybersecurity Maturity Model Certification (CMMC). Notably absent were revisions to Levels 4 – 5, which DoD promises in the next public release. While the final version of the CMMC is due in late January, Revision 0.6 updated CMMC Levels 1 – 3 by:

  • Condensing the CMMC requirements;
  • Modifying the practices and processes; and
  • Providing clarifications and examples for CMMC Level 1 requirements.

Revision 0.6 also distilled the core requirements for Levels 1 – 3 into the following categories:

  • Level 1 -- Basic cyber hygiene: Implementation of security controls in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems;
  • Level 2 -- Intermediate cyber hygiene: Implementation of select NIST SP 800-171 controls; and
  • Level 3 -- Good cyber hygiene: Full implementation of NIST SP 800-171 controls.

Industry will benefit from reviewing this latest draft and preparing for DoD’s pending implementation of the CMMC.

Contacts

Insights

Client Alert | 2 min read | 07.15.26

CMMC Phase II Suspension Requires Reconsideration of Such Requirements in Solicitations

As discussed in more detail here, the U.S. Department of War (DoW) recently issued a memorandum (Memo 26-P-1023, dated July 13, 2026) directing the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements (Level I and II self assessments are still permitted). Significantly, the memo directs that “all pending and future CMMC implementation milestones across DoW solicitations and contracts are held in abeyance until further notice.” Moreover, the DoW issued a memorandum on implementing these requirements (available here), directing agencies to issue amendments removing CMMC Level 2 and 3 requirements from active solicitations “as soon as practicable.” Contractors should monitor the government’s compliance with this requirement and should be prepared, if needed, to file a bid protest to protect their rights....