<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

The 5 Levels of CMMC Explored

In response to the growing number of cyber threats that continue to plague organizations, the Department of Defense (DoD) has implemented the Cybersecurity Maturity Model Certification (CMMC) to ensure that the Defense Industrial Base suppliers are adequately protecting sensitive data known as Controlled Unclassified Information (CUI). One weak link in thDoD’s supply chain can compromise national security.   

The CMMC model ensures that DoD Contractors, and any other organizations within their supply chain, have been certified that the systems and practices they have in place meet the specific certification-level cybersecurity requirements for the data they are handling. 

Prior to the implementation of the CMMC, the DoD still required its contractors to adhere to existing security standards, such as the NIST 800-171, however, these contractors could self-attest that they were compliant.

In this blog post, we'll explore each of the five levels.

Level 1: Basic Cyber Hygiene 

Level 1 focuses on safeguarding information based on requirements set forth on 48 CFR 52.204-21.  Contractors looking to achieve a Level 1 status need to have basic cybersecurity controls in place, such as using using antivirus software, having physical security around computer equipment, and using unique user accounts for each individual and requiring users do frequent password changes

Rather than handling CUI, these organizations are more likely to deal with Federal Contract Information (FCI). There is no requirement for assessment of process maturity at this level. 

Level 1 certification requires compliance with 17 practices as defined in the CMMC model. These 17 required practices for Level 1 certification fall under a few specific domains which are Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection and System and Information Integrity.

Level 2: Intermediate Cyber Hygiene 

Level 2 acts as a transitional step, as companies need to expand their scope from protecting FCI to protecting CUI.  Organizations looking to obtain Level 2 certification need to protect CUI under specific guidelines set forth in NIST SP 800-171.  

The main transition between Level 1 and Level 2 is the inclusion of a maturity model.  This model requires the organization to establish and document policies, procedures, and other strategic plans surrounding IT security.  

Level 2 certification requires compliance with 65 NIST 800-171 requirements, including 7 other practices. In addition to the steps referenced for level compliance, organizations seeking Level 2 completion must document the specific policies and procedures they have in place for carrying out these practices.   These practices fall into 15 domains.  In addition to complying with practices in domains for Level 1 certification, organizations seeking Level 2 certification must comply with additional practices falling into domains such as Audit and Accountability, Awareness and Training, Configuration Management, Incident Response, Maintenance, Personnel Security, Recovery, Risk Management and Security Assessment.

Level 3: Good Cyber Hygiene 

In order to achieve Level 3 status, an organization must comply with various standards and controls across multiple frameworks, including all security requirements of NIST 800-171 and DFARS Clause 252.204.7012. 

Organizations seeking to gain Level 3 certification must demonstrate that they have implemented effective security controls and that they have the ability to protect CUI.  In relation to the maturity process, the organization must essentially prove that they have successfully implemented and are adhering to policies, procedures, and plans implemented in Level 2. 

Level 3 certification requires compliance with 110 NIST 800-171 requirements, plus 20 other practices, falling into all the CMMC domains.   Over and above the domains for Level 1 and 2, required controls for Level 3 fall into the remaining domains as well, which are Asset Management and Situational Awareness. 


Level 4: Proactive 

Level 4 certification deals largely with protecting CUI from Advanced Persistent Threats, which are generally nation-state sponsored threat actors who are highly dangerous to the nation's security.  Organizations hoping to achieve this level of certification must demonstrate that they have proactive measures in place to safeguard CUI from stealthy adversaries known as APTs. 

These proactive measures must allow the organization to adapt to evolving tactics, techniques, and procedures (TTPs) used by nefarious actors.  In terms of the maturity process, a Level 4 organization must be able to review activities and procedures for effectiveness and must also have a procedure for informing management of issues or deficiencies.  Level 4 certification requires compliance with 110 NIST 800-171 Requirements plus 46 other practices, falling within all 17 domains of the CMMC model.


Level 5: Advanced/Progressive 

Organizations looking to achieve Level 5 certification must have an advanced or progressive cybersecurity program in place that optimizes cybersecurity capabilities. 

These organizations must implement sophisticated tools and processes to repel threats brought on by APTs.  In the maturity process, these organizations can demonstrate that they have standardized activities across all individual units and have the ability to identify and share improvements. 

Level 5 certification requires compliance with 110 NIST 800-171 Requirements plus 61 other practices falling into all 17 domains of the CMMC model.  The organization must comply with all practices and capabilities covering all domains of the CMMC model.

Level 5 certification automatically implies that the contractor meets ALL of the criteria set by the CMMC including all requirements at Levels 1, 2, 3 and 4. 

CMMC infographic

In addition to the 5 levels, the CMMC is composed of 17 domains and 171 practices, most of which are part of the NIST SP 800-171 requirements. 

The domains are farther broken down into capabilities, with only certain capabilities required for each level.  Organizations that are looking to achieve Level 5 certification must comply with all 171 practices. 

The following infographic gives a brief outline of how many practices are associated with each level. While navigating the CMMC is a complex process, it's advisable to turn to compliance experts like the team at 24By7Security to go through any of your questions. 


CMMC Overview infographic 24By7Security


24By7Security is a Registered Provider Organization (RPO), certified by the CMMC Accreditation Body (CMMC-AB), fully qualified and trained to provide CMMC readiness services and help contractors in the Defense Industrial Base on their path to certification against the CMMC standard.

Learn more about our CMMC Readiness Services by clicking on this link.

Anirudh Nadkarni
Anirudh Nadkarni

Anirudh Nadkarni holds a Bachelor of Arts degree with a major in History from the University of Florida. As a Senior Security Analyst at 24By7 Security, Inc., his main focus in on compliance. Anirudh’s role includes performing on-site Security Risk Assessments, assisting in the development of Privacy and Security Policies & Procedures, and conducting HIPAA training for healthcare providers and their staff. Anirudh is certified as a Health Care Information Security and Privacy Practitioner (HCISPP) from ISC2, and as a Certified Data Privacy Professional (CDPP) from Network Intelligence. Sign up for the 24By7Security blog and follow Anirudh’s musings.

Related posts

September, 14 2021
September, 7 2021
August, 31 2021

Comments are closed.

Ransomware is on the Rise, Recent Attacks
Foresight 2020: Train Users to Recognize Phishing
Subscribe to our Blog!