CMMC Requirements Per Level – Complete Guide

As mentioned on the first part of this article, there are five (5) certification levels under CMMC – level 1 being the lowest and level 5 being the highest. On the same article, we have also discussed the terminologies, and the rationale behind the imposition of CMMC.

In this article, we will go deeper into each level of Cybersecurity Maturity Model Certification.

CMMC Levels and Their Respective Requirements

It is important to understand the processes and practices an organization should adhere to in order to get certified on each cybersecurity maturity level.

This section contains tables showing the domains (and their respective processes and practices) on each level of maturity.

Do note that CMMC certification is cumulative. Organizations required to be certified must pass through level 1 before getting eligible to a higher certification level, and so on.

Note: The domain codes on the left side of the table shall be construed as [DOMAIN].[LEVEL].[PRACTICE NUMBER]

Example: AC.1.001 means Access Control (domain), 1 (level), 001 (practice number).

Cybersecurity Maturity Model Certification Levels

CMMC Level 1

Focus: Safeguard Federal Contract Information (FCI)
Processes: Performed
Practices: Basic Cyber Hygiene

The practices included on level 1 are limited to those which focus on the protection of FCIs and those that correspond to the safeguarding requirements as enumerated in 48 CFR 52.204-21 ( “Basic Safeguarding of Covered Contractor Information Systems” ).

Level 1 only requires organizations to perform the practices. Process maturity is not assessed because they are only performed in an ad-hoc (when necessary) manner.

CMMC level 1
Figure 1 – Practices Required for Level 1 Certification

CMMC Level 2

Focus: Serve as transition step in cybersecurity maturity progression to protect CUI.
Processes: Documented
Practices: Intermediate Cyber Hygiene

CMMC Level 2 is a progression from level 1 to 3, and it consists of subsets of security requirements mentioned in NIST SP 800-171 ( ”Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” ) in addition to practices originating from other standards and references.

Level 2 require organizations to establish and document the practices and policies so that they can perform them in a consistent and repeatable manner. By documenting the necessary practices and processes, and performing them as documented, organizations are expected to develop mature capabilities.

CMMC level 2 table 1 of 3
Figure 2 – Practices Required for Level 2 Certification (Table 1 of 3)
CMMC level 2 table 2 of 3
Figure 3 – Practices Required for Level 2 Certification (Table 2 of 3)
CMMC level 2 table 3 of 3
Figure 4 – Practices Required for Level 2 Certification (Table 3 of 3)

CMMC Level 3

Focus: Protect Controlled Unclassified Information (CUI)
Processes: Managed
Practices: Good Cyber Hygiene

Certification level 3 focuses on the protection of CUI and it covers all security requirements enumerated in NIST SP 800-171 ( ”Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” ). Also included are practices from related standards and references to mitigate threats. DFARS clause 252.204-7012 ( “Safeguarding of Covered Defense Information and Cyber Incident Reporting” ) specifies additional requirements beyond the NIST SP 800-171.

Level 3 mandates organizations to establish, maintain, and provide a plan (may include missions, goals, training, stakeholders, among others) on how they will manage the implementation of the practices.

CMMC level 3 table 1 of 3
Figure 5 – Practices Required for Level 3 Certification (Table 1 of 3)
CMMC level 3 table 2 of 3
Figure 6 – Practices Required for Level 3 Certification (Table 2 of 3)
CMMC level 3 table 3 of 3
Figure 7 – Practices Required for Level 3 Certification (Table 3 of 3)

CMMC Level 4

Focus: Protect CUI and reduce risk of Advance Persistent Threats (APTs)
Processes: Reviewed
Practices: Proactive

The level 4 of CMMC focuses on the protection of CUI from APTs and it consists of subsets of security requirements mentioned in NIST SP 800-172 ( “Enhanced Security Requirements for Protecting Controlled Unclassified Information” ) in addition to other cybersecurity best practices.

Performance of practices under level 4 enhances the capabilities of an organization to detect, respond, and adapt to the continuously changing tactics, techniques, and procedures (TTPs) employed by ATPs.

Level 4 obliges organizations to review and measure the effectivity of their practices. Organizations are expected to be responsive in a way that they can take immediate corrective actions when issues arise, and that they can persistently report the status or issues to higher-level management.

CMMC level 4 table 1 of 2
Figure 8 – Practices Required for Level 4 Certification (Table 1 of 2)
CMMC level 4 table 2 of 2
Figure 9 – Practices Required for Level 4 Certification (Table 2 of 2)

CMMC Level 5

Focus: Protect CUI and reduce risk of Advance Persistent Threats (APTs)
Processes: Optimizing
Practices: Advanced/Progressive

Certification level 5 focuses on the protection of CUI from APTs, and it incorporates additional practices to strengthen the depth and sophistication of an organization’s cybersecurity capabilities. 

Level 5 mandates organizations to standardize and optimize the implementation of the processes throughout their entire operations.

CMMC level 5
Figure 10 – Practices Required for Level 5 Certification

Final Words

The practices and processes required on all levels of CMMC are undeniably difficult to understand, more so is trying to comply on all of them.

Therefore, you might need assistance in pursuing CMMC. CyberLife can help. We can do a comprehensive Cyber Security Audit of your organization to jumpstart your compliance with the certification standards.

Email us at sales@cyberlife.web or give us a call at 424.349.3848.

For further readings about CMMC, visit their website.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Contact Us

Please reach out to us about your project and one of our sales consultants will review your request and contact you.

Share on facebook
Share on twitter
Share on linkedin

Our Mailing Address:

PO Box 2128 Minneapolis, MN 55402

Email Us:

sales@cyberlifeweb.com

Call Us:

424.349.3848