A Quick Guide to the 5 CMMC Levels

A Quick Guide to the 5 CMMC Levels

In our previous blog, we discussed that one of the key differences between Defense Federal Acquisition Regulation Supplement (DFARS) and Cybersecurity Maturity Model Certification (CMMC) is the latter’s five maturity levels. 

In this blog, we’ll delve deeper into the focus and requirements of all five CMMC certification levels.  

Before proceeding, make sure to read this first: 

An Introduction to the CMMC Certification 


Overview: Five CMMC Levels

The CMMC has the same goal as DFARS, which is to protect the controlled unclassified information (CUI) that Department of Defense (DoD) suppliers keep. Because of this, the CMMC operates on a framework that builds upon existing DFARS requirements. It consists of five levels that DoD suppliers mature into the better they get at protecting federal contract information (FCI) and CUI.

Particularly, each CMMC maturity level is characterized by a set of cybersecurity processes and practices as seen in the figure below.

The CMMC levels and their associated cybersecurity processes and practices are cumulative. This means that to be certified at a certain CMMC level, you must meet all of the requirements of the preceding levels as if you're applying for certifications for all of those levels. This allows applicants to apply for a certification level of their choosing once, rather than having to go through certifications multiple times. 

For example, to get CMMC Level 2 certification, you must satisfy the cybersecurity processes and practices required for both Levels 1 and 2. What’s more, you must demonstrate both the cybersecurity processes and practices associated with Level 2. That is, if, for example, you’ve met Level 2 for processes but not for practices, then you’d only be eligible for Level 1 certification. 

Each CMMC level also has a particular focus to ensure alignment between cybersecurity processes and practices with the type and sensitivity of information to be protected. As shown in the figure above, only companies that achieve CMMC Levels 3–5 can handle CUI, with Levels 4 and 5 offering increased protection against advanced persistent threats (APTs). On the other hand, those that get Level 1 or 2 certification need to secure only FCI, which means they don’t need to meet full DFARS compliance. This makes certification more cost-effective and affordable to smaller DoD vendors that don’t deal with CUI. 

Now, let’s take a closer look at each CMMC level. 

CMMC Level 1

Processes: Performed

At Level 1, process maturity is not yet assessed. To be certified, you must only perform the practices specified for this level. Because of this, a CMMC Level 1 supplier may have limited or inconsistent cybersecurity maturity processes. 

Practices: Basic Cyber Hygiene

Since Level 1 focuses on protecting FCI, you must meet all 17 basic safeguarding requirements specified in FAR 48 CFR 52.204-21.

CMMC Level 2

Processes: Documented

At CMMC Level 2, you must establish and document standard operating procedures (SOPs), policies, and strategic plans that guide the implementation of your CMMC efforts. By having documentation, you’ll ensure that your SOPs and policies are practiced in the same manner all the time. 

Practices: Intermediate Cyber Hygiene

On top of the 17 cybersecurity practices required in Level 1, you must adopt an additional 55 practices — 48 of which are based on a select subset of security requirements specified in the NIST SP 800-171 framework. Following this technical framework is a step toward protecting CUI, and this transition is the focus of Level 2. 

CMMC Level 3

Processes: Managed

To become a CMMC Level 3 company, you should establish, maintain, and provide a plan that details how you will manage the implementation of the required cybersecurity practices. This plan may cover the following information: 

  • Mission and goals
  • Project plans
  • Resources to be tapped
  • Required training
  • Roles of relevant stakeholders

Practices: Good Cyber Hygiene

At this level, you should be able to safeguard CUI by meeting all the security requirements specified in NIST SP 800-171 — and hence become fully DFARS-compliant. You must also adopt 20 more cyber hygiene practices and all FAR 48 CFR 52.204-21 requirements.

CMMC Level 4

Processes: Reviewed

Level 4 requires you to document, review, and measure your cybersecurity practices for effectiveness. Should your company encounter any issues, your staff should be able to inform higher-level management and adopt corrective measures. 

Practices: Proactive

At CMMC Level 4, you should be able to protect CUI from APTs, so you must meet a select subset of 11 security requirements from the Draft NIST SP 800-171B as well as 15 additional cybersecurity best practices. This is on top of all the requirements in the lower CMMC levels. 

Adopting all 156 practices required in this level enhances your company’s detection and response capabilities so that you can effectively address and adapt to the changing tactics, techniques, and procedures used by APTs. 

CMMC Level 5

Processes: Optimizing

To achieve CMMC Level 5, you must have standardized and optimized processes in place across your entire company.  

Practices: Progressive/Advanced 

After meeting all the requirements of the lower CMMC levels, Level 5 requires you to adopt 15 more cybersecurity practices, amounting to a total of 171 practices. Doing so increases the depth and sophistication of your company’s capabilities in repelling APTs. 


For a quick summary of the total number of practices and technical frameworks adopted by each CMMC level, refer to the diagrams below.  

Feeling overwhelmed by the technical complexity of meeting CMMC compliance? Don’t worry, Charles IT is here to help you using our two-step process: gap assessment + CMMC services. Get started today by uncovering your company’s security gaps.

New call-to-action