What are the CMMC Levels?

FAQs


The Cybersecurity Maturity Model Certification (CMMC) framework consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD) stakeholders.   The CMMC covers basic cybersecurity standards through advanced cybersecurity practices and helps to protect controlled unclassified information (CUI) as well as Federal Contract Information (FCI). 

The CMMC now requires third-party validation and certification, which aims to increase industry compliance. Without compliance, organizations will not qualify for DoD RFPs, RFIs, and RFQs. 

There are five certification levels of the CMMC framework (often referred to as maturity levels) that assessors will leverage. 

Cybersecurity Maturity Model Certification Levels

The figure above is from the Cybersecurity Maturity Model Certification (CMMC) v.1.02, published March 18, 2020 for administrative corrections to v.1.0 (with no substantive or critical changes).  

  • CMMC Level 1 – Basic Cyber Hygiene: Basic cybersecurity appropriate for small companies (not all small businesses will fall under Level 1. The level requirement should be stated in the RFI/RFP for the contract or subcontract work).
  • CMMC Level 2 – Intermediate Cyber Hygiene: Contains universally accepted NIST SP and CSF cybersecurity best practices.
  • CMMC Level 3 – Good Cyber Hygiene: Includes coverage of all NIST 800-171 controls and additional CMMC components.
  • CMMC Level 4 – Proactive: Includes advanced and sophisticated cybersecurity practices and cybersecurity controls.
  • CMMC Level 5 – Advanced/Progressive: Includes highly advanced cybersecurity practices and cybersecurity standards.

The CMMC was fundamentally designed to help organizations with risk management, combat cyber threats, and identify vulnerabilities. The CMMC model builds upon sound cybersecurity practices that many can use as a basis for proactive incident response.

Previous iterations of controls from the Department of Defense (DoD) known as Defense Federal Acquisition Regulation Supplement (DFARS) were put in place to aid DoD contractors in conducting self-assessments in order to qualify for federal contracts but were found difficult to enforce.