September 2021

· 11 min read

A Guide to Cybersecurity Maturity Model Certification (CMMC) Levels

NSF-ISR's roadmap for understanding the five levels within the new Cybersecurity Maturity Model Certification (CMMC) program is essential reading for smart defense contractors.
Group of people walking up stairs in city - A Guide to Cybersecurity Maturity Model Certification (CMMC) Levels | NSF International

Introduction to CMMC Levels

For contractors who work with the Department of Defense (DoD) and are preparing for the required Cybersecurity Maturity Model Certification (CMMC) assessment, it's important to understand the five levels that make up the maturity model. They are not always well understood but well worth knowing. Consider this your guide to CMMC levels.

CMMC is a certification program introduced to improve supply chain security in the defense industrial base (DIB). By the end of 2025, the DoD will require all contractors to be certified to one of the five CMMC levels, including both technical security controls and maturity processes.

"CMMC is a unified standard that takes into account the various information security standards and best practices that need to be implemented within the defense industrial base supply chain to protect federal contract information and controlled unclassified information," says Rhia Dancel, Information Security Technical Manager with NSF-ISR.

Dancel's NSF-ISR colleague and fellow information security expert, Tony Giles describes it this way: "The DoD and its supply chain are keen to see organizations meet this mandated information security standard as soon as possible to further protect U.S. national security."

Cybersecurity processes and practices will be measured across five maturity levels under CMMC. This is in contrast to the previous National Institute of Standards and Technology (NIST) standards. NIST standards cover information security practices, and NIST 800-171 is one of the building blocks of CMMC.

The Five CMMC Levels Explained

The required certification level will be determined by the specific kind of information a company handles and the type of work it does. The specific level of certification will be spelled out in all new DoD contracts. If a supplier is not certified at the specified level, the company cannot bid on the DoD business.

For DoD contractors, the key question is: What level of certification will my organization be required to achieve?

The answer depends on the type of data exchanged or created by the DoD contract(s). There are three broad categories of information: public information, federal contract information (FCI) and controlled unclassified information (CUI).

Public Information: No CMMC Certification Level Required

Public information is described as data identified as "public release approved" or similar, or unmarked information available from an uncontrolled, publicly available government source. That would include, for example, government reports on industrial output forecasts intended for general release and publication.

Handling public information does not require any special handling or controls, and it's not included in official CMMC published guidelines. Meaning contractors working only with public information to fulfill their work for the DoD will not require CMMC certification.

Federal Contract Information (FCI): CMMC Level 1 Certification Likely

FCI is information that is not intended for public release. The designation is typically included in document markings or indicated in the contract. FCI, however, does not include basic accounting and transaction information required for invoicing and receiving payments.

If a DoD contractor requires only FCI data as part of defense work being done, they will likely need to achieve Level 1 CMMC certification. Level 1 requires a performance-only approach to cybersecurity and includes 17 cybersecurity practices. These 17 cybersecurity practices are basic and should be used by most companies working for the DoD.

Controlled Unclassified Information (CUI): Requires At Least CMMC Level 3 Certification

CUI is FCI that comes with additional guidance related to special safeguarding or handling controls. CUI should be clearly marked and defined in the DoD contract. Instructions for identifying and handling CUI can be found in the NIST Special Publication 800-171.

If a contractor does work for the DoD that includes sharing and processing CUI data, the contracted organization is required to achieve at least a CMMC Level 3 certification. This level requires compliance with all 130 practices and processes in Levels 1, 2 and 3.

"Level 1 is basic cyber hygiene where processes need to be performed. Level 2 is intermediate cyber hygiene; at this point, processes need to be documented," Dancel says. "Level 3 is good cyber hygiene, meaning processes should be managed. Level 4 is proactive, and you want processes to be reviewed and measured for effectiveness. And then Level 5 involves optimization of the organization's processes."

In November 2020, the DoD released CMMC Assessment Guide - Level 1 and CMMC Assessment Guide - Level 3. These documents define and explain CMMC compliance requirements. Assessors will rely on these guides during the assessment process, and DoD suppliers can also use them to prepare.


Note that the DoD did not release a Level 2 guide, as CMMC Level 2 is considered a transitional level. The DoD sees Level 2 as a steppingstone from Level 1 to Level 3, but the expectation is that it will not be a requirement in DoD contracts. CMMC also defines requirements for Levels 4 and 5, but the assessment guides for those levels have yet to be published.

CMMC Framework and Levels

The CMMC framework includes cybersecurity best practices across 17 domains. A domain, in the context of a network, refers to a group of users, workstations, devices, printers, computers and database servers that share different types of data across the network.

The five CMMC levels include defined processes and practices. Not all information is equally sensitive, and employees may have different access permissions. To allow for these variables, CMMC measures processes across five maturity levels. Reaching higher CMMC levels improves a firm's capacity to protect CUI.

Level 1

Basic Cyber Hygiene Practice: This level requires basic cybersecurity protocols deployed by most companies. To reach Level 1, firms need to implement 17 NIST SP 800-171 Rev2 controls.

Performed Process: This first tier reflects the simple, basic cybersecurity approach most firms utilize.

Level 2

Intermediate Cyber Hygiene Practice: Protocols mandated in Level 2 include universally accepted and documented best cybersecurity practices. Firms need to implement Level 1 requirements and 55 additional NIST SP 800-171 Rev2 controls to achieve this level.

Documented Process: Standard operating procedures, policies, and plans are established for all practices.

Level 3

Good Cyber Hygiene Practice: This level requires all NIST SP 800-171 Rev2 controls. This means that all controls from Level 1, Level 2 and 58 additional NIST controls need to be implemented to achieve Level 3 certification.

Managed Process: Activities are reviewed for policy and procedures adherence and properly resourced.

Level 4

Proactive Practice: This level includes advanced cybersecurity processes implemented, reviewed and updated across the enterprise. Companies need to implement practices and processes from Levels 1, 2 and 3, plus 26 additional controls (11 of which are from NIST SP 800-171 Rev B controls).

Reviewed Process: Practices are judged for effectiveness and management is informed of any issues.

Level 5

Advanced/Progressive Practice: The highest level encompasses advanced, optimized cybersecurity practices that include constant incident monitoring, reporting and improvement. Certification to Level 5 requires practices and processes from all levels in addition to 15 controls (four from NIST SP 800-171 Rev B controls).

Optimizing Process: Activities are standardized across organizational units and improvements are shared.

Level 1-5 Summary

Levels 1 and 2 reflect the basic approach most companies use. Level 3 refers to DoD cybersecurity requirements in NIST SP 800-171 Rev2 with 20 added controls. Requirements for Levels 4 and 5 meet the standards of NIST SP 800-171 Rev B. Most controls are consistent with security measures many contractors use, but some are specific to CMMC.

CMMC Level
Level 1
CMMC Process
Performed
CMMC Practice
Basic Cyber Hygiene
CMMC Level
Level 2
CMMC Process
Documented
CMMC Practice
Intermediate Cyber Hygiene
CMMC Level
Level 3
CMMC Process
Managed
CMMC Practice
Good Cyber Hygiene
CMMC Level
Level 4
CMMC Process
Reviewed
CMMC Practice
Proactive
CMMC Level
Level 5
CMMC Process
Optimizing
CMMC Practice
Advanced/Progressive

Contractors should bear in mind that these are all definitions and guidelines. An organization's DoD contracting officer is the ultimate authority for determining the CMMC certification level. They are also the best person to answer questions related to how protected information should be handled under any given contract.

The Benefits of CMMC Compliance

Under the new CMMC requirements, contractors who are certified have a distinct competitive advantage within the defense industrial base (DIB), which includes an estimated 350,000 suppliers. Proactive defense contractors will start the certification process even before a request for proposal (RFP) is initiated.

When it comes to multi-year contracts, companies that are CMMC compliant early in the process will be in a better position to secure these contracts. Firms that wait until the last minute will likely have fewer contract opportunities.

Aside from contracts and revenue, the largest benefit is CMMC certified suppliers will be better protected against cybersecurity attacks and data breaches, having implemented network information security protocols consistent with industry best practices. This benefit can further protect an organization's reputation and could extend to contracts outside of the DoD.

Dancel offers her perspective: "I think many organizations are already inherently protecting their information and data. So, adding this other layer of technical controls and documentation will only enhance the security measures they have already implemented."

A Smart Approach to CMMC

Contractors who plan on continuing to work with the DoD recognize CMMC requires a higher level of cybersecurity measures. The rigorous process will also have the effect of forcing out suppliers, either not interested or unable, to meet the enhanced information security requirements mandated by CMMC.

Some suppliers will lose the opportunity to bid on DoD contracts, but for savvy contractors willing to undertake certification steps, those opportunities will still be available. Also, as with any new, large-scale, multi-year government program, changes will be a reoccurring part of the process, especially in the early part of the five-year rollout.

Motivated DoD suppliers will stay informed about CMMC, take changes in stride and be proactive in order to achieve early certification. These organizations recognize as contracts with CMMC requirements are announced and RFPs are published, early CMMC certification will open doors that may well be closed to their non-compliant competitors.

Ready to Begin the Process?

Contact us with questions or to receive a quote.