CMMC Levels Explained: A Guide to the 5 CMMC Maturity Levels
Unlike NIST SP 800-171, the CMMC model possesses five levels. Learn about the CMMC framework, who it affects, and what it means for the future of DoD contracts.
The US Department of Defense (DOD) released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) on January 20, 2020. The CMMC framework allows contractors in the Defense Industrial Base (DIB) to better assess and improve their cyber security posture.
The CMMC ensures that contractors implement the appropriate levels of cyber security practices and procedures needed to protect controlled unclassified information (CUI) and federal contract information (FCI). This page provides an overview of the Cybersecurity Maturity Model Certification, CMMC levels and the process for starting your journey towards CMMC compliance.
Do you need to be DFARS 252.204-7012, 7019 and 7020 compliant? Schedule a free consultation with the cyber security experts at cuick trac™ today to learn how we can help.
Cuick trac™ is a cost-effective, practical solution that helps you receive, process and transmit controlled unclassified information (CUI). Call 763-546-8354 or schedule an online cuick trac™ demo today.
Under DFARS 252.204-7012, DoD contractors were responsible for implementing their own cyber security practices and monitoring their compliance with those practices prior to the release of CMMC. Audits of contractors were rare, and they were often allowed to attest to their own level of security, resulting in inconsistent compliance with security requirements. CMMC changes this paradigm by requiring all DoD contractors to be independently audited by a certified third party.
CMMC maps best practices in cyber security to five maturity levels. Level 1 indicates the lowest level of cyber security maturity with the simplest processes and most basic cyber hygiene practices. Level 5 is the highest level of cyber security maturity in the CMMC model and applies to optimized processes and the most advanced cyber hygiene practices.
CMMC incorporates existing federal regulations regarding cyber security such as 48 CFR 52.204-21, DFARS clause 252.204-7012, NIST SP 800-171, and NIST SP 800-172 into a single set of best practices in cyber security. It categorizes these practices into 17 domains with 43 capabilities distributed across those domains. The capabilities that contractors must demonstrate depend on the CMMC level they're seeking. The data below itemizes the 43 CMMC capabilities and their association with the 17 domains of the CMMC model:
Access Control (AC)
Asset Management (AM)
Audit and Accountability (AU)
Awareness and Training (AT)
Configuration Management (CM)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
Physical Protection (PE)
Recovery (RE)
Risk Management (RM)
Security Assessment (CA)
Situational Awareness (SA)
System and Communications Protection (SC)
System and Information Integrity (SI)
Organizations can demonstrate compliance with the above capabilities by adhering to a range of practices and processes. Practices are the technical activities of each capability and consist of 171 practices mapped across the five CMMC levels. Processes measure an organization's maturity in implementing cyber security procedures, which include nine practices mapped across the maturity levels.
The figure below illustrates the distribution of the 171 practices across the 17 domains. The domains are listed on the left, with the number of practices in each maturity level according to color. Six domains account for 105 out of 171 practices, including the following:
By 2026, all contractors that do business with the DoD must comply with CMMC except those who only handle commercial off-the-shelf software (COTS). This requirement applies to prime contractors as well as their subcontractors and every supplier the prime contractor works with across their entire supply chain.
Each DoD contract will specify the CMMC maturity level that each contractor must meet, so contractors on the same contract may have different CMMC requirements. For example, some parts of a contract may require the prime contractor for that section to meet CMMC Level 3, while only requiring its subcontractors to meet Level 1. The CMMC Accreditation Body (CMMC-AB) is currently working with the DoD to ensure that independent, third-party assessors are available for contractors at each of the CMMC levels. (Learn more: Who needs CMMC compliance?)
The passage of the DFARS general rule in December 2020 allowed the DOD to introduce CMMC and solidify its importance in DOD contracts. CMMC level 3 is based mostly on NIST 800-171, which specified the cyber security standards for DIB contractors handling CUI prior to the deployment of CMMC. Contractors can still refer to DFARS clause 252.204-7012 for guidance on self-assessing their cyber security capabilities until CMMC is more widely enforced.
With the addition of DFARS 252.204-7019, which requires contractors to upload a self-assessment score, at a basic level, to the Supplier Performance Risk System (SPRS), accountability and accuracy by the contractor is far more important than in the past.
Contractors must also meet all 110 security controls in NIST SP 800-171 or provide a Plan of Actions and Milestones (POAM) indicating their plan to do so. A POAM describes the specific measures that a DIB contractor will take to correct the deficiencies discovered during a security control assessment. This plan should identify the tasks the contractor needs to perform in addition to the resources those tasks will require.
The shift from self-assessments to independent assessments for cyber security compliance is one of the most significant differences between NIST 800-171 and CMMC. Third Party Assessment Organizations (C3PAOs) will now conduct these assessments, which won’t accept noncompliance with DOD cybersecurity regulations.
Under NIST 800-171, noncompliance was acceptable, provided the contractor prepared a POAM and made progress in closing their remaining gaps. CMMC also adds 20 new security requirements to Level 3, which build upon the 110 requirements already in NIST 800-171. CMMC requires contractors to meet both sets of requirements, adding further support for good cybersecurity practices.
CMMC and NIST SP 800-171 mandates will continue to coexist until the DOD completes the CMMC roll-out according to its existing timeline. The number of DoD contractors subject to CMMC will gradually increase over the next few years to include all of these contractors, while the number of defense contractors still subject to NIST SP 800-171 will drop to zero.
The CMMC maturity level that the DoD requires of its contractors depends on the sensitivity of the data these contractors will be working with. Each maturity level has its own set of processes and practices that allow the contractor to work on information with progressively greater sensitivity.
Level 1 requires organizations to perform the specified practices. However, they may be able to perform these practices in an ad-hoc manner without relying on documentation. As a result, C3PAOs don't assess process maturity for level 1. Practices at this level focus on the protection of FCI, so level 1 only includes practices that meet the basic safeguarding requirements described in 48 CFR 52.204-21.
Level 2 requires the organization to document its processes for the purpose of guiding their efforts to achieve CMMC Level 2 maturity. This documentation must also allow users to repeat these processes. Organizations must perform their processes as documented to achieve this maturity level.
Level 2 practices are classified as intermediate cyber hygiene practices, which are a progression between level 1 and level 3. They consist of a subset of the requirements specified by NIST SP 800-171 in addition to practices from other standards. Level 2 is a transitional stage, so these practices focus on protecting CUI.
Level 3 requires the organization to establish, maintain and resource a plan to manage the activities needed to implement its cyber security practices. This plan can include information on a variety of specific topics, including goals, missions, projects, resourcing, training and the involvement of organization stakeholders.
The cybersecurity practices at this level qualify as good cyber hygiene practices and focus on the protection of CUI. However, they also encompass all the security requirements that NIST SP 800-171 specifies as well as the other 20 practices added for CMMC level 3. DFARS clause 252.204-7012 still applies, which also adds requirements beyond NIST SP 800-171 such as reporting security incidents.
Learn more about CMMC Level 3 requirements & controls.
Level 4 requires the organization to periodically review the effectiveness of its security practices. It also requires organizations to take corrective action when needed and inform upper management of the status of their information systems on a recurring basis.
Level 4 practices are considered proactive and focus on the protection of CUI from advanced persistent threats (APTs), although they also encompass a subset of the requirements from the draft of NIST SP 800-172 and other documents. These practices generally improve an organization's ability to detect and respond to security threats, especially the adaptation of changes in the tactics, techniques and procedures (TTPs) of APTs.
Level 5 requires the organization to optimize its processes for the purpose of ensuring a standardized implementation across the entire organization. Practices at this level focus on the protection of CUI from APTs, and are considered advanced and proactive. The practices added at this level increase the sophistication and depth of the organization's cybersecurity capabilities.
Contractors that only need to handle basic information with a low level of sensitivity may only need to achieve CMMC Level 1. The process becomes more complex for contractors who need to handle CUI since they need to achieve at least CMMC Level 3. Achieving this level requires a comprehensive approach to security that includes the following three steps:
1. Adopt a platform that can securely exchange CUI. Companies that work with CUI frequently contain this type of information in e-mails and files, which must be protected as required by CMMC. These capabilities include end-to-end encryption and easy deployment of that encryption, to protect CUI, FCI and International Traffic in Arms Regulations (ITAR) data. cuick trac™ can help contractors navigate their best path to satisfy this.
2. Develop a robust System Security Play (SSP). This document indicates the process a contractor will use to implement the policies and procedures that CMMC Level 3 requires. C3PAOs use the SSP to understand how contractors will implement these security controls.
The SSP must provide detailed information, as general summaries of the methods for implementing controls won't allow the contractor to pass an audit. Working with subject matter experts like cuick trac™, can help contractors develop a strong SSP that will expedite their journey towards CMMC compliance.
3. Obtain a CMMC consulting partner. Contractors will often need a partner to guide them through the compliance process for CMMC. In particular, Level 3 compliance is usually too big a requirement for most companies to achieve without help. Partnering with cuick trac™, an approved Registered Provider Organization by the CMMC-AB, who can help facilitate this process and minimize costs, is critical.
For example, we can connect you to our network of experienced Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), Provisional Assessors (PAs) and Registered Provider Organizations (RPOs).
CMMC will affect DoD contractors and the number of ways as its roll-out continues. For example, POAMs will no longer be accepted once the CMMC implementation is complete, phasing out the DFARS Interim Rule. At this point, all DoD contractors will need to meet all 130 security controls described in NIST SP 800-171 and CMMC Level 3.
Prime contractors for the DoD must ensure their subcontractors meet the requirements appropriate to their CMMC level, which depends on the type of data they will handle. Assume for this example that a prime contractor has CMMC Level 5, but it only shares FCI with one of its subcontractors. The DoD would only require that subcontractor to achieve CMMC Level 1.
Contractors must also meet the requirements for the level they're seeking in both practices and processes. For example, a contractor could achieve Level 3 for practices and Level 2 on processes. In this case, the contractor will be certified at the lower level, CMMC Level 2.
Contractors need to begin repairing for CMMC now rather than waiting until they receive a contract with an actual CMMC requirement. This preparation requires significant time, so failure to prepare now could result in the loss of a contract later.
The DoD is currently planning to begin adding CMMC level requirements to DOD Requests for Information (RFIs). These requirements will initially be added to about 15 procurements for critical programs and technologies in the DoD, including those related to nuclear and missile defense. CMMC certification will be used as a basis for approving or disapproving competitors for these contracts.
The data below shows the estimated number of contracts that will contain CMMC level requirements by fiscal year, although this timeline will likely change:
CMMC procurements by fiscal year
FY 2021: 15
FY 2022: 75
FY 2023: 250
FY 2024: 325
FY 2025: 475
Initially, the DoD estimated that the first round of CMMC implementation would affect about 1,500 primes and subcontractors, which was going to require CMMC certification by Fall 2021. Although this pilot program has taken longer than expected, C3PAOs are now being authorized and prime contractors are starting to look at their supply chain in a very specific manner. The rollout will continue over the next five years, with the expectation that all new DoD contracts will contain CMMC requirements by Fall 2026.
No two paths to CMMC compliance are the same, but consultants and MSPs do recommend a number of best practices. These practices may be categorized by phase, including baselining, implementation, enactment and assessment.
Baselining
Implementation
Enactment
Assessment
Beryllium is able to help contractors start their CMMC compliance journey by meeting the requirements for processing, storing and transmitting CUI. Cuick trac™ helps contractors implement 110 NIST 800-171 controls needed for CMMC Level 3 compliance.
Call 763-546-8354 or complete the online form today to schedule a demonstration or consultation with one of our security experts about your organization’s CMMC compliance.
