The CMMC model ensures that DoD Contractors meet the specific certification-level cybersecurity requirements for the data they are handling. There are five CMMC Certification levels, but this in itself is misleading. An estimated 75% of vendors will only need Level One Certification. 25% will need Level Two or Three, and only a small 5% will need Level Four or Five.
Which level is right for you? We explain each of the five levels below. You can also click here to jumpstart your certification process.
Level 1. “Basic Hygiene”
Level 1 covers 17 CMMC model requirements and those set forth in 48 CFR 52.204-21. Contractors looking to achieve a Level 1 status need to have basic cybersecurity controls in place. These include basic Asset Management, Authentication, and Access Controls, or, frequent passwords changes, unique user accounts, and anti-virus software, Organizations in this category are more likely to deal with Federal Contract Information (FCI) rather than handling CUI. There is no requirement for a process maturity rating at this level, however, it’s something to consider.
Level 2. “Cyber Hygiene”
Level 2 is a transitional step to Level 3 and brings forward the need to implement Nist SP 800-171. This is due to an expanded scope from protecting FCI to protecting CUI. If you are already implementing Nist SP 800-171, then we recommend that you look for a solution to map your existing controls to CMMC and jumpstart your certification.
Level 3. “Good Cyber Hygiene”
Organizations seeking to gain Level 3 certification must demonstrate that they have implemented effective security controls and that they have the ability to protect CUI. This includes compliance with all security requirements of NIST 800-171 and DFARS Clause 252.204.7012. Effectively, Level 3 is demonstrated implementation of all Level One and Two policies and procedures. Demonstrating implementation requires continuous control monitoring. Your spreadsheet is not your friend here!
Level 4. “Proactive”
Level 4 covers pro-active measures to safeguard CUI from Advanced Persistent Threats. These are mostly nation-state sponsored threat actors who are highly dangerous to the nation’s security, often referred to as APTs. Certification at this level requires compliance with 110 NIST 800-171 Requirements plus 46 other practices across all 17 domains of the CMMC model.
Level 5. “Progressive”
Level 5 is “optimization”. Certification automatically implies that the contractor meets all criteria set by the CMMC including all requirements at Levels 1-4. Organizations must have an advanced or progressive cybersecurity program in place.
Read what our clients say about us on Capterra