The Five Levels of CMMC: An introduction to the Cybersecurity Maturity Model Certification framework

The Department of Defense built the Cybersecurity Maturity Model Certification (CMMC) framework to better assess and improve the cybersecurity posture of the Defense Industrial Base (DIB). CMMC’s purpose is to ensure that appropriate levels of cybersecurity practices and processes are in place to protect federal contact information (FCI) and controlled unclassified information (CUI). Going forward, any defense company that does business with the DoD (except for those handling COTS) will need to become CMMC compliant.
This piece will describe the most important aspects of CMMC and how to get started with your compliance journey.

Understanding CMMC domains, capabilities, practices and processes

CMMC maps cybersecurity best practices and processes to five maturity levels seen in the figure below. Process levels range from simply performed at Level 1 to optimized at Level 5. In parallel, practices range from basic cyber hygiene at Level 1 to advanced and progressive cyber hygiene at Level 5.

Quick Guide to Get Started with CMMC

CMMC incorporates pre-existing legislation such as NIST SP 800-171, 48 CFR 52.204-21, DFARS clause 252.204-7012, and others, into one unified set of cybersecurity best practices.

It categorizes these best practices into 17 broad domains, such as “Access Control” and “Systems and Communications Protection.” Forty-three distinct capabilities, such as “control remote system access” and “control communications at system boundaries,” are distributed across the 17 domains. Not all companies need to demonstrate all 43 capabilities; they apply depending on the CMMC maturity level sought.

Companies will demonstrate compliance with the required capabilities by showing adherence to a range of practices and processes. Practices are the technical activities required within any given capability requirement; 173 practices are mapped across the five CMMC maturity levels. Processes serve to measure the maturity of organizations’ institutionalization of cybersecurity procedures; nine processes are mapped across the five CMMC maturity levels.

CMMC vs NIST 800-171: The essential differences

With the passing of the DFARS interim rule in late 2020, the DoD solidified the introduction of CMMC as well as its importance in DoD contracts. CMMC is built on the on the foundation of NIST 800-171, which until now, dictated the cybersecurity standards that all DIB companies had to follow. Specifically, DFARS clause 252.204-7012 stipulated that any company that accesses or stores CUI must self-assess its cybersecurity capabilities and self-attest that it meets all 110 security controls of NIST SP 800-171 or have a Plan of Actions and Milestones (POAM) to do so.

POAM stands for Plan of Action and Milestones. A POAM is a plan that indicates the specific measures that a DIB company will take to correct deficiences found during a security control assessment. The POAM should identify which tasks should be done as well as the resources required to make the plan work.

One of the most significant changes from NIST 800-171 to CMMC is the shift from self-assessment to external assessments of cybersecurity compliance, which will be conducted by Third Party Assessment Organizations (C3PAOs). Further, whereas in the past noncompliance with DoD cybersecurity regulations was acceptable as long as companies prepared POAMS, that will no longer be the case under CMMC.
CMMC also expands upon NIST 800-171 by supplementing that standard’s 110 security requirements and adds 20 new requirements to Level 3. These requirements must be met in order to be CMMC certified. These additional practices are designed to support good cyber hygiene.
Until CMMC is fully rolled out per the timeline provided by the DoD, CMMC and NIST SP 800-171 mandates will coexist. That is, over the next several years the number of defense contracts subject to CMMC requirements will ramp up and those subject to NIST SP 800-171 will decline to zero.

Timeline for CMMC implementation

The DoD is aiming to add CMMC Level Requirements to DoD contract Requests for Information (RFIs) beginning in 2021 – see table below. CMMC Level requirements will start with an estimated 15 procurements for critical DoD programs and technologies, such as those associated with nuclear and missile defense. At that point, for those contracts, CMMC certification will be used as the basis for “go/no go” decisions.

It is expected that approximately 1,500 primes and subcontractors will be affected in the first round of implementation and, likewise, will need to be CMMC certified by Fall 2021. The roll-out will continue over a five-year period, with the expectation that all new DoD contracts will include CMMC requirements by Fall 2026.

What CMMC level does my company need to achieve?

The CMMC maturity level an organization must achieve to do work for the DoD depends upon the sensitivity of the DoD information it will work with. The following summary of the process and practice standards for each of CMMC’s five levels will help you identify the appropriate CMMC level for your business. 

The CMMC maturity level an organization must achieve to do work for the DoD depends upon the sensitivity of the DoD information it will work with.


CMMC Level 1

Processes: Performed
Level 1 requires that an organization performs the specified practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices: Basic Cyber Hygiene
Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.

CMMC Level 2

Processes: Documented
Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented.
Practices: Intermediate Cyber Hygiene
Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level is a transitional stage, a subset of the practices reference the protection of CUI.

CMMC Level 3

Processes: Managed
Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices: Good Cyber Hygiene
Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as 20 additional practices to mitigate threats. Any contractor with a DFARS clause n their contract will need to at least meet Level 3 requirements. Note that DFARS clause 252.204-7012 applies, and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.

CMMC Level 4

Processes: Reviewed
Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
Practices: Proactive
Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs. 

CMMC Level 5

Processes: Optimizing
Level 5 requires an organization to standardize and optimize process implementation across the organization.
Practices: Advanced/Proactive
Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

How to get CMMC Certified

To get started on the path to compliance, DIB companies need to determine if they are handling CUI. Once they determine where they are and what type of information they are handling, they should determine the gaps between where they are and where they want to be and create a POAM for how to get to where you are supposed to be.
For companies handling very basic information, they only need to get to a Level 1. For others who are handling CUI, the process is more involved. They need to determine if their whole organization needs to be level 3 compliant or if an enclave approach is more appropriate, whereby only part of their company needs to embrace a compliance solution.
The CMMC-Accreditation Body (AB) has already trained a number of Provisional Assessors and Registered Practitioners who can server in an advisory capacity to companies seeking CMMC compliance. The AB has also trained a small number of provisional CC3PAOs. While the C3PAOs cannot provide official assessments at this time, it is thought that they will be able to do so later this year. Contractors should start by preparing now. Early adopter will most likely only need to make minor changes to their processes, ensuring they can be first in line for their certification audit.

What CMMC means for DoD contractors

  1. Once the DFARS Interim Rule phases out and CMMC becomes fully implemented, POAMs will not be allowed. Contractors will have to meet all 130 controls.
  2. DoD Prime contractors must flow down the appropriate CMMC level requirement to their sub-contractors, which will vary depending on the nature of the subcontractors’ work. For example, a prime contractor with CMMC Level 5 certification could have a subcontractor with which it shares just FCI; the DoD would require that subcontractor to achieve Level 1 certification.
  3. Organizations must meet requirements for the level they seek in both the practice and the process realms. For example, a contractor that achieves Level 3 on practice implementation and Level 2 on process institutionalization will be certified at the lower CMMC Level 2.
  4. Contractors should get started on preparing their organization now and not wait until they see an actual contract with a CMMC requirement. Preparation takes time and failure to prepare now could mean loss of revenue later.

How PreVeil can help

The new CMMC framework will better arm the DoD in its efforts to defend against cyberattacks that threaten U.S. advantages in the military, technological and commercial realms. CMMC’s implementation is on the fast track, and whether your company can continue to work with the DoD will be determined by whether it can achieve the appropriate CMMC maturity level for the contract you seek.
Check out PreVeil’s new CMMC whitepaper that goes into depth on the DoD’s new cybersecurity principles and provides insight into how PreVeil’s advanced, easy to use, end-to-end encrypted email and file sharing can put you solidly on the path to CMMC compliance.