CMMC Certification Levels: What Is the Right Level for My Company?

CMMC Certification Levels: What Is the Right Level for My Company?


With the Cybersecurity Maturity Model Certification (CMMC) Version 1.0 finally released, contractors looking to work for the Department of Defense (DoD) are wondering what CMMC level they should apply for. While being closely similar to the Version 0.7 draft, the final version of the CMMC model includes descriptions of processes and practices in Appendix B and source mapping in Appendix E.

This article will go over the five levels of the CMMC framework and the requirements contractors need to meet to obtain a certificate.

The 5 CMMC Certification Levels

Unlike previous security standards like the Defense Federal Acquisition Regulations (DFARS) and NIST SP 800-171, CMMC categorizes contractors into five different levels based on the maturity of their cybersecurity policies and processes, with each level building on the other. So, to achieve a Level 2 certificate, a contractor must first meet the requirements of Level 1 and so on. Here's a breakdown of the CMMC levels.

CMMC levels explained

  • Level 1: Basic Cyber Hygiene

This level is focused on safeguarding federal contract information (FCI) and requires contractors to implement 17 NIST SP 800-171 security controls. All companies with an active contract with the DoD should be Level 1 certified.

  • Level 2: Intermediate Cyber Hygiene

This level is often referred to as the transition step toward CMMC Level 3. This is because it's at this level that controlled unclassified information (CUI) is introduced. Contractors are expected to document their cybersecurity policies and processes to protect CUI. In addition, this level needs 45 additional security controls.

  • Level 3: Good Cyber Hygiene

At this level, contractors are permitted to generate and handle CUI and must implement the remaining 47 NIST SP 800-171 security controls. This level also introduces the situational awareness control, which outlines how contractors collect and respond to cyberthreat intelligence information, and how they relay the information to stakeholders.

  • Level 4: Proactive

Level 4 is all about contractors’ ability to handle advanced persistent threats (APTs). This level requires them to implement a proactive cybersecurity program capable of mitigating APTs. Also, companies working for the DoD must regularly analyze and improve the tactics, techniques, and procedures (TTP) they use to keep CUI safe.

  • Level 5: Advanced/Progressive

This is the highest level of the CMMC framework. At this level, contractors must have state-of-the-art cybersecurity protocols that can detect and deal with APTs as well as other sophisticated threats. Also, this level requires the implementation of 171 NIST SP 800-171 security controls, which are separated into 17 domains.

Why Use a Tiered System?

Before the CMMC was developed and released, DoD contractors had to comply with the standards and security controls stated under the NIST 800-171 framework. Small- and medium-sized contractors with no IT staff or information security expert found it difficult to comply with the full set of controls. Larger contractors, meanwhile didn't have trouble meeting the minimum baseline requirements but found that investing more resources to constantly improve their cybersecurity posture was a financial disadvantage. By introducing a tiered system, the CMMC framework ensures that contractors can meet the exact requirements specific to a certain level before they can bid, win, and work on government contracts.

What CMMC Certification Level Do I Need?

Before anyone can work on government projects, the DoD checks a contractor's access to CUI and FCI. The DoD will then assign a CMMC level to that contractor based on the amount of government information it handles. After a CMMC level is assigned, the contractor must work to complete the requirements needed for that level. Once all requirements are met, a certified third-party assessor organization (C3PAO) will conduct an audit before a certificate is given.

Preparing for a CMMC audit takes a lot of time and work, which is why contractors should start as soon as possible. To make the process faster, they can partner with a trusted managed IT services provider like Charles IT. We will perform a detailed gap assessment to identify potential weaknesses in a contractor's cybersecurity posture and provide them with a remediation plan that will assist in resolving all cybersecurity issues to ensure their company is ready for CMMC compliance. Start your gap assessment now.

New call-to-action

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”