Title : CMMC - Levels Overview

Posted by : Tariq Azmi | 2020-02-15

Quick Overview of CMMC Level 1-5

  • Level 1: Basic Cyber Hygiene includes 17 practices derived from NIST standards. Level 1 requires a performance-only approach to cybersecurity. These standards are basic cybersecurity practices most companies should already be using when working for the DoD. 
  • Level 2: Intermediate Cyber Hygiene includes 72 practices with 55 new standards and 17 from level 1. Level 2 is a big step up from level 1 in that an organization is expected to establish and document standard operating procedures, policies, and strategic plans for its cybersecurity plan. 
  • Level 3: Good Cyber Hygiene includes 130 practices. This level will be required of any organization that handles, uses, or shares CUI. Level 3 certification requires the addition of incident reporting and the ability to demonstrate the management of practice implementation. 
  • Level 4: Proactive includes 156 practices and generally indicates a more advanced cybersecurity system. Many organizations won't be required to reach level 4 CMMC. A level 4 organization is expected to review and document activities for effectiveness and inform high-level management of any issues. 
  • Level 5: Advanced/Progressive includes 171 practices and is the highest level of CMMC compliance. Level 5 organizations have an advanced, progressive cybersecurity system in place. These organizations will have the ability to assess advanced threats and optimize tools to repel these threats. 

These numbers seem intimidating, but it's important to remember that they compound off one another. For instance, instead of 72 additional practices for level 2, you'll be adding 55 to the 17 already implemented in level 1. Additionally, the practices aren't new, they're reiterations of practices from Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 and NIST SP 800-171r1 and Draft NIST SP 800-171B. The processes are more loosely defined, and change with each of the five levels as follows. 

  • Level 1- performed 
  • Level 2- documented 
  • Level 3- managed 
  • Level 4- reviewed 
  • Level 5- optimized