What It Is

Cybersecurity Maturity Model Certification (CMMC) 2.0 is a U.S. Department of Defense (DoD) certification framework ensuring cybersecurity protections for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the Defense Industrial Base (DIB). It uses a tiered, risk-based model with three cumulative levels: Level 1 (basic FCI safeguards), Level 2 (NIST SP 800-171 for CUI), and Level 3 (NIST SP 800-172 enhancements against APTs).

Key Components

• 171 practices across 14 domains (e.g., Access Control, Incident Response)
• Level 1: 17 FAR 52.204-21 practices; Level 2: 110 NIST controls; Level 3: +24 enhancements
• Built on NIST SP 800-171/172 and FAR standards
• Certification via self-assessments (Levels 1/2), C3PAO (Level 2), or DIBCAC (Level 3), with SPRS/eMASS reporting

Why Organizations Use It

Mandated for DoD contractors/subcontractors handling FCI/CUI, preventing contract ineligibility. Reduces cyber risks, enhances supply chain trust, lowers incident costs, and provides competitive procurement advantages. Builds operational resilience and stakeholder confidence.

Implementation Overview

Phased approach: scoping, gap analysis, remediation, assessment preparation, certification, sustainment. Applies to all DIB firms (SMEs to primes); requires System Security Plan (SSP), evidence artifacts, POA&Ms (limited), annual affirmations. Timelines: 12+ months for Level 2.

What It Is

BREEAM (Building Research Establishment Environmental Assessment Method) is a science-led sustainability certification framework for the built environment, launched in 1990 by BRE. It assesses new construction, refurbishments, in-use assets, communities, and infrastructure using a credit-based, weighted scoring methodology producing ratings from Pass (≥30%) to Outstanding (≥85%).

Key Components

• **10 core categoriesManagement, Health & Wellbeing, Energy, Transport, Water, Materials, Waste, Land Use & Ecology, Pollution, Innovation.
• Credits for compliant issues, category weightings prioritizing high-impact areas like energy.
• Technical manuals, KBCNs, licensed assessors, BRE third-party audits under ISO/IEC 17065.

Why Organizations Use It

• Operational savings (22-33% energy reduction), asset premiums (up to 30% sales uplift).
• ESG alignment, EU Taxonomy support, regulatory incentives.
• Risk mitigation for climate resilience, biodiversity; market differentiation, tenant appeal.

Implementation Overview

• Phased: pre-assessment, design integration, construction evidence, certification, in-use monitoring.
• Early assessor/AP appointment essential; global applicability, all scales.
• BRE QA certification required. (178 words)