Find out what the DoD’s new CMMC requirements means for contractors. Check out our white paper.


What are the 5 levels of CMMC?

The Department of Defense (DoD) built the Cybersecurity Maturity Model Certification (CMMC) framework to better assess and improve the cybersecurity posture of the Defense Industrial Base (DIB). CMMC’s purpose is to ensure that appropriate levels of cybersecurity practices and processes are in place to protect federal contact information (FCI) and controlled unclassified information (CUI) that resides on the DIB’s networks.
CMMC maps cybersecurity best practices and processes to five maturity levels, summarized in the figure below. Process levels range from simply performed at Level 1 to optimized at Level 5. In parallel, practices range from basic cyber hygiene at Level 1 to advanced and progressive cyber hygiene at Level 5.

CMMC Maturity Level Descriptions

Source: Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Version 1.0

How CMMC works: Domains, capabilities, practices and processes

CMMC incorporates pre-existing legislation such as NIST SP 800-171, 48 CFR 52.204-21, DFARS clause 252.204-7012, and others, into one unified set of cybersecurity best practices.
It categorizes these best practices into 17 broad domains, such as “Access Control” and “Systems and Communications Protection.” Forty-three distinct capabilities, such as “control remote system access” and “control communications at system boundaries,” are distributed across the 17 domains. Not all companies need to demonstrate all 43 capabilities; they apply depending on the CMMC maturity level sought.

173 practices are mapped across the five CMMC maturity levels. Processes serve to measure the maturity of organizations’ institutionalization of cybersecurity procedures

Companies will demonstrate compliance with the required capabilities by showing adherence to a range of practices and processes. Practices are the technical activities required within any given capability requirement; 173 practices are mapped across the five CMMC maturity levels. Processes serve to measure the maturity of organizations’ institutionalization of cybersecurity procedures; nine processes are mapped across the five CMMC maturity levels. 

What CMMC level does my company need to achieve?

The CMMC maturity level an organization must achieve to do work for the DoD depends upon the sensitivity of the DoD information it will work with, and the range of cyber threats associated with that information. The following summary of the process and practice standards for each of CMMC’s five levels will help you identify the appropriate CMMC level for your business. 

The CMMC maturity level an organization must achieve to do work for the DoD depends upon the sensitivity of the DoD information it will work with

CMMC Level 1

Processes: Performed
Level 1 requires that an organization performs the specified practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices: Basic Cyber Hygiene
Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.

CMMC Level 2

Processes: Documented
Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented.
Practices: Intermediate Cyber Hygiene
Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level is a transitional stage, a subset of the practices reference the protection of CUI.

CMMC Level 3

Processes: Managed
Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices: Good Cyber Hygiene
Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices to mitigate threats. Note that DFARS clause 252.204-7012 applies, and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.

CMMC Level 4

Processes: Reviewed
Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
Practices: Proactive
Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs. 

CMMC Level 5

Processes: Optimizing
Level 5 requires an organization to standardize and optimize process implementation across the organization.
Practices: Advanced/Proactive
Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
It is important to note one of the most significant changes from previous practice to the new CMMC framework, namely, the shift from self-assessment to external assessment of cybersecurity compliance and, likewise, the certification of your organization’s CMMC level. External assessments will be conducted by Third Party Assessment Organizations (C3PAOs).

Three key points to keep in mind about CMMC levels

  1. CMMC levels and their associated processes and practices are cumulative. For example, for an organization to achieve CMMC Level 3, it also must demonstrate achievement of Levels 1 and 2.
  2. Organizations must meet requirements for the level they seek in both the practice and the process realms. For example, a contractor that achieves Level 3 on practice implementation and Level 2 on process institutionalization will be certified at the lower CMMC Level 2.
  3. DoD Prime contractors must flow down the appropriate CMMC level requirement to their sub-contractors, which will vary depending on the nature of the subcontractors’ work. For example, a prime contractor with CMMC Level 5 certification could have a subcontractor with which it shares just FCI; the DoD would require that subcontractor to achieve Level 1 certification.

How PreVeil can help

The new CMMC framework will better arm the DoD in its efforts to defend against cyberattacks that threaten U.S. advantages in the military, technological and commercial realms. CMMC’s implementation is on the fast track, and whether your company can continue to work with the DoD will be determined by whether it can achieve the appropriate CMMC maturity level for the contract you seek.
Check out PreVeil’s new CMMC white paper that goes into depth on the DoD’s new cybersecurity principles and provides insight into how PreVeil can put you on the path to CMMC compliance. Download here.