last changes July 6th 2021
CMMC Certification Levels
This page is intended to provide a quick overview of what each level consists of. For the full details please see the official CMMC program.
If you are wondering which of the five CMMC Certification Levels your company will be required to conform with: The CMMC level mandated will be stated in the contract information. The majority of contracts will require a Level 1 or Level 3 certification.
As a general rule:
- If your company will receive exclusively Federal Contract Information (FCI) under the contract, then your will need CMMC Level 1 implementation and certification.
- However, if your organization will receive Controlled Unclassified Information (CUI) in addition, then CMMC Level 3 will be required as a minimum.
All CMMC Certification Levels above Level 1 consist of two measurements; Processes and Practices. Processes are things such as creating policies and plans for each of the 17 domains covered by the CMMC. In contrast, Practices are the actual implementation of controls such as Access Control and Configuration Management.
CMMC Level 1 is the base level of certification and consists of practices that correspond to basic safeguarding requirements in Federal Acquisition Regulation (FAR) clause 52.204-21. This lowest level consists of 17 basic cyber security practices such as implementing Identity and Authentication and basic Access Controls. Level 1 is all about protecting Federal Contract Information (FCI) and will be required for anyone who obtains a DoD contract but does not produce solely Commercial Off the Shelf products. The vast majority of DOD contracts will require this level of certification.
The purpose of Level 2 seems to be to create a base level of cyber security for any organization who has Controlled Unclassified Information (CUI) in their organization and as such requires a higher level of security than those who only have FCI. CMMC Level 2 certification will require written policies for each of the 17 domains covered by the CMMC as well as documented practices for implementing the policies for each domain. It will also be a more extensive set of security practices that are a subset of the security requirements listed in NIST SP 800-171 with a total of 55 additional practices to put in place in addition to those listed in Level 1.
We see this Level as a transitionary step in preparation to Level 3 which will not make business sense for most organizations as it does not allow for the handling of CUI yet.
At Level 3 the focus is on protecting CUI, fleshing out the base security practices established in Levels 1 & 2, and increasing the overall security of the organization. CMMC Level 3 certification will require that the organizations establish, maintain, and resource a plan that demonstrates the management of activities for the implementation of CMMC. The practices encompass all the security requirements in NIST SP 800-171 as well as additional practices and standards for a total of 58 new practices on top of those required for a Level 2 implementation.
If your organization handles both – FCI and CUI – you will have to meet CMMC Level 3 requirements or higher. This is why we expect this to be the second most – if not most frequently mandated maturity requirement of all CMMC Certification Levels.
If an organization is required to achieve Level 4 certification then the main focus shifts to enhancing the organizations effectiveness of protecting CUI from Advanced Persistent Threats (APTs). While it does not have as many new practices to implement as Levels 2 and 3 did, the practices listed are much more complex and time consuming to both implement and maintain. CMMC Level 4 will require that an organization review and measure practices for effectiveness as well as implement a subset of enhanced security practices from DRAFT NIST SP 800-171B and other security best practices for a total of 26 additional practices on top of those required for Level 3.
Ecuron estimates that less than 100 companies will be required to become CMMC Level 4 compliant.
CMMC Level 5 will require that organizations standardize and optimize process implementation across the organization. This level is again focused on the protection of CUI from APTs and as such implements many more advanced security practices for the organization. The additional practices will increase the depth and sophistication of cybersecurity abilities for the organization and consists of an additional 15 practices above CMMC Level 4.
As for Level 4, we expect less than 100 organizations to fall into this category.
How to Get There:
Due to our status as a CMMC Registered Provider Organization™ (CMMC-RPO), Ecuron can perform pre-assessment services which include CMMC Gap Analysis, CMMC Implementation Help, CMMC Pre-Assessment.
We do not conduct the final Certification Assessments.
We offer CMMC Consulting Services to get you CMMC compliant in 4 Steps:
- CMMC Gap Analysis / CMMC Gap Assessment
See where your organization stands and what it takes to achieve compliance
- CMMC Implementation Help
Based on the results of the first phase we will help you to close existing gaps by implementing suitable controls and any missing requirements. This includes developing and writing the extensive documentation required.
- CMMC Pre-Assessment
Think of it as a mock audit. We will verify that everything is in place, mature, and can be proven to an auditor. If we find issues we will help you fix them. Once we are confident that you are ready for the CMMC Assessment we will recommend to schedule the actual audit.
- CMMC Assessment Support
We help you prepare for the certification audit, gather & organize evidence for a smooth assessment by the C3PAO. We will be at your side throughout the process.
Join Our CMMC Notification List
Sign up below and we will notify you about CMMC related news, updates, and services.