You keep talking about Maturity Levels 1 and 3; what happened to 2?
Maturity Level 3 is the minimum required to handle CUI under contracts that include CMMC requirements. Maturity Level 1 is the minimum required to handle all other non-public government information (i.e., FCI). But moving from Maturity Level 1 to Maturity Level 3 is a big step. Organizations go from needing to address only 17 practices and having ad-hoc processes to addressing 130 sophisticated practices and having written processes whose implementation is demonstrable. In creating the CMMC Model, DoD wanted to encourage contractors to move beyond Maturity Level 1, and Maturity Level 2 allows those contractors who are taking cybersecurity more seriously to be recognized for their efforts. Although Maturity Level 2 is not expected to be a requirement in any government RFI/RFP, contractors having a Maturity Level 2 certification can be awarded preferences over those having only Maturity Level 1 certifications.