All you need to know: CMMC Levels 1-5


The CMMC model ensures that DoD Contractors meet the specific certification-level cybersecurity requirements for the data they are handling. There are five CMMC Certification levels, but this in itself is misleading. An estimated 75% of vendors will only need Level One Certification. 25% will need Level Two or Three, and only a small 5% will need Level Four or Five.

Which level is right for you? We explain each of the five levels below. You can also click here to jumpstart your certification process.

Level 1. “Basic Hygiene”

Level 1 covers 17 CMMC model requirements and those set forth in 48 CFR 52.204-21.  Contractors looking to achieve a Level 1 status need to have basic cybersecurity controls in place. These include basic Asset Management, Authentication, and Access Controls, or, frequent passwords changes, unique user accounts, and anti-virus software,  Organizations in this category are more likely to deal with Federal Contract Information (FCI) rather than handling CUI.  There is no requirement for a process maturity rating at this level, however, it’s something to consider. 

Level 2. “Cyber Hygiene”

Level 2 is a transitional step to Level 3 and brings forward the need to implement Nist SP 800-171. This is due to an expanded scope from protecting FCI to protecting CUI.  If you are already implementing Nist SP 800-171, then we recommend that you look for a solution to map your existing controls to CMMC and jumpstart your certification. 

Level 3. “Good Cyber Hygiene”

Organizations seeking to gain Level 3 certification must demonstrate that they have implemented effective security controls and that they have the ability to protect CUI.  This includes compliance with all security requirements of NIST 800-171 and DFARS Clause 252.204.7012. Effectively, Level 3 is demonstrated implementation of all Level One and Two policies and procedures. Demonstrating implementation requires continuous control monitoring. Your spreadsheet is not your friend here!

Level 4. “Proactive”

Level 4 covers pro-active measures to safeguard CUI from Advanced Persistent Threats. These are mostly nation-state sponsored threat actors who are highly dangerous to the nation’s security, often referred to as  APTs. Certification at this level requires compliance with 110 NIST 800-171 Requirements plus 46 other practices across all 17 domains of the CMMC model.

Level 5. “Progressive”

Level 5  is “optimization”. Certification automatically implies that the contractor meets all criteria set by the CMMC including all requirements at Levels 1-4. Organizations must have an advanced or progressive cybersecurity program in place.

For more information on how to get CMMC certified, email us at: or find us here.

Read what our clients say about us on Capterra

10 “more” security tips for working from home

Just recently, I had a conversation with a friend, who works for the U.S. Navy. She is overwhelmed with work as she teleworks from home because of the Covid-19. Her profession can easily be switched to telework, whereas other coworkers can’t, but that is no reason effective guidance cannot be provided. Here is what she had to say…

With the outbreak of Covid-19, we are dealing with an unforeseen occurrence, a black swan event. As a cyber professional, I hope organizations have a Continuity of Operations Plan (COOP) to initiate along with their Standard Operating Procedures (SOP). Many do have such plans, but for others, it is abundantly clear guidance is missing. It is not simply about “putting” the language into a document, “checking” the boxes, and copying off SANS Institute’s website. You need an AFFECTIVE plan than can be INITIATED, UNDERSTOOD and FOLLOWED by others.

My 10 Step Program


Ensure internet connections work. Test your communication portals like Zoom, Skype, etc. Review security and privacy protocols, especially if you have roommates. Just because you are home, does not mean you be relaxed with security protocols. Consistency ensures efficiency. INVENTORY: Your organization should ensure you have access to the type of equipment you need to work remotely. You may need to take note what you have access to and communicate this effectively with management and make request for items you do not have. CLOUD-BASED CAPABILITIES: To ensure feasibility to the Internet, file-sharing, e-mail and unified communications via mobile applications, chat, etc., the right cloud-based tools need to be available. Check them.


As an employee, before reading up on any guides or joining a Team chat, make a commitment to yourself. This means planning, such as ensuring you cleared a space for yourself, not matter how small. Try to create a home office space, even at the kitchen table. This is your spot. Own it. STAY ORGANIZED: Create a personal “to-do list” each morning. Keep track of the time required (i.e. 8 hrs.). Consider creating your own timecard where you note hours spent on each ticket item. Ensure you have breaks and embrace the flexibility of working from home. But, at the end of the day, ensure you meet your objectives. WORK FLEXIBILITY: With being remote, you have flexibility with your start time and end time. Ideally, if doing 8 hours, you should commit to those hours. However, even I will scatter my time throughout the day or make it up on another day. It is all too easy to work during dinner, and before bed.

*Side note: I personally created my own classical music list off Spotify to ensure no distractions. I’m like a squirrel and can get excited about shiny objects, so my music keeps me on track and closed off to distractions.


Hopefully, your company has provided you with the right material to work remote. If not, no worries! Be accountable to yourself. You can ensure the chain of communication work. Some workers feel isolated, so it is important for your organization to maintain some sort of social contact with other employees. I suggest, if you have Office 365 or Zoom, to initiate a weekly Scrum Call at the beginning of the week and end. If this is not in place… be a star and create one or suggest it to management. DELEGATE: Embrace delegating. I’ve often come across employees who struggle with this. OVER-COMMUNICATE: Document everything to ensure colleagues are informed and information does not get lost through digital mail. I also create a Weekly Status Update or WSR (can download templates online) for my weekly meetings. I am amazed how organization and accountability and simple note taking can easily impress people.


Take some time for you! Depending on how long you will be teleworking, being closed off can feel like you have fewer opportunities for training and professional development. With Covid-19, I personally think this is a great time for training! This challenge can easily be alleviated by communication between the supervisor and the employee, as well as effective performance monitoring on the part of the supervisor.