The Levels of the Cybersecurity Maturity Model Certification Explained

The Levels of the Cybersecurity Maturity Model Certification Explained

If you’re a Department of Defense (DoD) contractor or a subcontractor dealing with somebody who sells to the DoD, you might have already heard about the Cybersecurity Maturity Model Certification (CMMC). If not, then you should know that beginning in late 2020, the Defense Federal Acquisition Regulation Supplement (DFARS), which regulates how DoD contractors should handle certain types of information on their systems will be supplemented by the CMMC

Cybersecurity Maturity Model: What is it?

The maturity model concept lays out a series of stages or levels for a certain capability or competence. The higher level you are, the better your capabilities are. This model makes it explicitly clear what’s required for each level of maturity, from current competencies to organizational processes. The CMMC follows this concept, where a contractor’s cybersecurity capabilities are evaluated based on a number of controls and requirements. 

What are the five levels of the CMMC model?


Related article: Know The Difference Between DFARS and CMMC


CMMC Level 1: Basic Cyber Hygiene

There are 17 security controls evaluated at this level. Guided by the Federal Acquisition Regulation (FAR), this is the minimum level of cyber hygiene required to hold Federal Contract Information (FCI), beyond even just the DoD. A level 1 certification indicates that cybersecurity best practices concerning the identified controls are “performed” and included in the business’s processes.  

This is the easiest of the five levels to achieve, and there isn’t any requirement to document security processes. 

CMMC Level 2: Intermediate Cyber Hygiene

At level 2, a selection of 48 practices from the NIST 800-171 r1 regulations that tie to DFARS requirements are expected to be observed, along with the FAR basics. 7 additional cyber hygiene practices are expected as well. This level is slightly more difficult than level 1, but it’s only a transition point to managing Controlled Unclassified Information (CUI)  with the DoD. Security processes here must not only be performed, but also “documented.”

CMMC Level 3: Good Cyber Hygiene

Contractors are required to implement the entire NIST 800-171 r1 framework and be completely DFARS compliant at CMMC level 3. Compliance to 20 additional cyber hygiene practices and FAR basics is also expected at this level. Fortunately, contractors who are already compliant with DFARS requirements are already 85% of the way through this certification level. As this is the minimum level required to handle CUI, most DoD contractors aim to certify at this level. 

Contractors also need to demonstrate that cybersecurity processes are well-managed with ample review and resourcing before they achieve level 3 certification.

CMMC Level 4: Proactive Cyber Hygiene

At this level, contractors are expected to meet all the requirements of previous levels along with a selection of 11 new cybersecurity practices from the draft version of the NIST SP-800 171B. To achieve a level 4 certification, security processes need to be reviewed and management needs to be effectively looped into the process. At CMMC level 4, the focus shifts from only protecting CUI to also proactively defending against state-based advanced persistent threats (APTs). 

CMMC Level 5: Advanced and Progressive Cyber Hygiene

A contractor achieves level 5 certification by demonstrating sophisticated cybersecurity capabilities to protect CUI from APTs. At this level, contractors are required to have a standardized documentation of cybersecurity practices and incidents across the organization. 

Like in CMMC level 4 certification, a level 5 certification requires standardized, organization-wide cybersecurity processes involving continuous information-sharing and collaboration. A CMMC level 5 certification indicates that a contractor’s cybersecurity defenses are optimized and progressively reviewed to ward off APTs.

Preparing for your Cybersecurity Maturity Model Certification

Each cybersecurity maturity level has requirements that all contractors wishing to win a bid for or keep their current DoD contract should know fully well. While successfully achieving compliance to CMMC is a lot of work, it is not an impossibility. There is a wealth of information about CMMC and how to prepare for it, so there is no real reason not to achieve the certification level you desire. To help prepare your business for your CMMC audit, here are some tips:


You’ll want to start off by learning about the CMMC levels and its requirements. By reading this resource and others like it, you’re already ahead of a lot of your potential competitors. You can also check out more comprehensive preparation tips here.



You’ll then want to go from reading and learning the CMMC model to identifying where the gaps are between your current cybersecurity maturity and the CMMC level you’re trying to achieve. It’s best to do this with a third-party organization with extensive experience on DFARS compliance, as the official audit will be conducted by an independent third-party organization. 


You’ll want to implement a range of cybersecurity solutions that will allow you to fill the gaps in your current cybersecurity maturity. Among the solutions you’ll need are as follows:

  • backup and disaster recovery to minimize downtime;
  • dark web monitoring to prevent credentials from falling into the hands of cybercriminals;
  • endpoint encryption to ensure that all devices in your network doesn’t have sensitive information stolen from it;
  • external vulnerability scanning to be informed of any potential breaches to your network traffic;
  • security awareness training to protect your employees from social engineering attacks and to instruct them on how to respond to cybersecurity incidents; and
  • security information and event management (SIEM) to monitor critical infrastructure for security incidents 24/7.


Once you’ve identified and filled in the gaps in your cybersecurity hygiene, you’ll need to evaluate your preparedness for the audit. Sooner or later, you’ll confront the question, “Is preparing for the CMMC audit something I want to and able to do in-house or should I elect the help of an expert?” The decision you make should be based on your ability to navigate through the intricacies of this new system. Do you have staff that’s knowledgeable of the CMMC requirements? Are you able to put the required cybersecurity solutions in place on your own? If your answer to these questions is not an immediate yes, then you should consider consulting with an expert. 

A gap assessment from a refutable expert in DFARS compliance like Charles IT will not only save you lots of time, but also increase your chances of acing your CMMC audit. Contact us now to start filling the gaps in your cybersecurity capabilities!

New call-to-action

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”