The Cybersecurity Maturity Model Certification (CMMC) is here, and it has government contractors scratching their heads as they try to figure out all the ins and outs of the new standard. While your current contract isn’t subject to the CMMC, any new contracts — or contract renewals — will need to be compliant.

One of the unique aspects of CMMC compliance is the tiered structure. The CMMC is divided into five levels, and each level requires greater cybersecurity maturity than the level below it. The higher your level, the more sophisticated and comprehensive your security readiness, and the more contracts you’ll be eligible for.

The five levels are tiered, and each level builds on the one below it. Most companies will aim to achieve a certification between level 1 and 3. Level 5 uses the most advanced and progressive practices available.

Every DoD contract is assigned to one of the levels, based on the sensitivity of the information the contractor will be handling.

diagram showing the 5 levels of CMMC

To be awarded a contract with the DoD, it won’t be enough to be CMMC compliant — your company will need to be compliant at the right CMMC level. The good news is that you don’t need to be more compliant than necessary. But you will need to be knowledgeable about what level you need to work toward to win the contracts you want.

Still confused? Let’s get you sorted out.

More about CMMC: Should You Panic Over the Cybersecurity Maturity Model Certification?

CMMC Level 1 — Basic Cyber Hygiene

Level 1 is the most basic level of cybersecurity maturity and consists of the basic safeguarding requirements contained in Federal Acquisition Regulation (FAR) clause 52.204-21. Level 1 is all about protecting federal contract information (FCI).

This level requires only basic cyber hygiene, and it allows organizations to practice the processes on an ad-hoc basis without process documentation. It comprises 17 practices across six domains, which cover the basics such as password strength and the most basic physical security practices like locking doors.

Contractors at the bottom of the supply chain usually only need to be compliant at this level. For this reason, Level 1 will apply to the vast majority of DoD contractors.

Hiring the right C3PAO is only one small piece of successfully navigating the Cybersecurity Maturity Model Certification. Get fully equipped with TCT’s online guide to CMMC.

CMMC Level 2 — Intermediate Cyber Hygiene

Level 2 creates a base level of cybersecurity for organizations that deal with controlled unclassified information (CUI). Unlike Level 1, this level requires written policies and documented practices for each policy.

Level 2 contains a subset of requirements from NIST SP 800-171 and will be familiar to contractors who are NIST compliant. It’s considered a transitional stage between Levels 1 and 3, like a stepping stone for protecting CUI. Most companies are already at Level 2, or will find it very doable to get there.

Level 2 contains all of the practices from Level 1, plus another 55 practices, for a total of 72 practices across 15 domains.

CMMC Level 3 — Good Cyber Hygiene

Organizations at Level 3 need to robustly protect CUI and have an ongoing security management plan. CMMC compliance at this level means you’re establishing, maintaining, and resourcing a plan that demonstrates the management of cybersecurity activities. The practices at Level 3 contain all of NIST SP 800-171, as well as additional practices to mitigate threats. If you have a DFARS (Defense Federal Acquisition Regulation Supplement) clause in your contract, you’ll need to be at least Level 3 compliant.

Compliance at this level makes your organization a difficult target for malicious attackers. Your security plan will probably include information about missions, goals, project plans, resourcing, required training, and stakeholder responsibilities.

The practices for Level 3 include everything from Level 2, plus another 58 practices, for a total of 130 practices across all 17 domains.

CMMC Level 4 — Proactive

At Level 4, your organization is focused on protecting CUI from advanced persistent threats (APTs). At this point, the practices for CMMC become much more complex and time consuming. You will need to review and measure practices for effectiveness as well as implement a subset of enhanced security practices from NIST SP 800-171B and other security best practices. Few companies will need to be compliant at this level, but if you’re one of them you’ll have your work cut out for you.

The practices at this level are designed to improve your ability to address and adapt to the constantly evolving tactics and techniques of APTs. A Level 4 organization has a substantial and proactive cybersecurity program.

Level 4 requires you to review and measure your practices to ensure they are as effective as possible. You’ll also need to take corrective action when necessary and provide regular reports to executive leadership on status and any issues.

Level 4 includes everything from Level 3, plus another 26 practices, for a total of 156 practices across all 17 domains.

CMMC Level 5 — Advanced/Progressive

Level 5 of the CMMC represents the most mature cybersecurity program. Very few contractors will be expected to need this level.

At Level 5, the focus is on standardizing and optimizing process implementation throughout your organization. Like Level 4, you’re protecting CUI from APTs. The new practices at this level are designed to increase the depth and sophistication of your company’s cybersecurity capabilities. Here, you’ll need to have subject matter experts on your team.

Level 5 includes everything from Level 4, plus another 15 practices, for a total of 171 practices across all 17 domains.

What CMMC Level Is Right for Your Organization?

Each RFP will state exactly what CMMC level the contract applies to, so there will be no confusion or ambiguity when you bid. That said, you should know well before you start bidding what level you’ll be required to comply with.

A good rule of thumb is to start by assuming that you’ll need CMMC Level 3, unless you’re at the bottom of the supply chain. Most companies that aren’t at Level 1 will need to comply with Level 3. Also ask these questions:

  • Do we receive, process, or create CUI? If so, you will need to be at Level 3 or above.
  • Do we handle high value assets (HVA) CUI? If so, you will need to be at Level 4 or 5.

If you answered No to both of those questions, then you will probably only need to meet Level 1 or 2.

Determining which CMMC level is right for your organization is fairly straightforward. Becoming CMMC compliant, however — that’s another thing. Using the TCT Portal means you’ll be in a position to preserve your evidence against each of the CMMC requirements, and be fully prepared to undergo assessments and reviews.

If you’re looking for a partner who’s been neck-deep in the front lines of compliance for decades, Total Compliance Tracking is your sure-bet to guide you through CMMC with as little drama as possible.

CMMC compliance doesn’t have to suck.


Get equipped with insider expertise

Subscribe to the TCT blog


You may also like